In multiple functions of rmap.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 687.0, "function_hash": "413876971249427366280981010431739294" }, "id": "ASB-A-253167854-2c699e73", "source": "https://android.googlesource.com/kernel/common/+/4158b1508f2b1", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/rmap.c", "function": "anon_vma_fork" }, "signature_type": "Function" }, { "digest": { "length": 235.0, "function_hash": "294861604179330059374891161424076166122" }, "id": "ASB-A-253167854-31b68f72", "source": "https://android.googlesource.com/kernel/common/+/4158b1508f2b1", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/rmap.c", "function": "anon_vma_alloc" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "53962649639763233970948212694881421515", "84884910008937723792924890095741653296", "289867361511434814136123946885745888236", "245903668714838938944946366142246911878", "7504442450920536846254297967102986599", "170665496767246331176487875624775263605", "168699009635849469993220089260387118541", "182287695170942524395419799087063004871", "533866088722823609017455530673486983", "313027068298794090365486964410309829326", "336493157822611584327939368899964601960", "296119125086239714642941165376460712027", "266265758359309360185401581924675077206", "36622159241989234324490422552343211678", "114366509948682029070596655782548042949", "193938668713863072987745587723473057740", "42832006219450414687602044916665859861", "147238279415313911581832328879523818383", "42702638619284906314173202170468475595", "186413678602772043095760350576427708437", "173048368773596193194083044067328405448", "158166927491439700286848852333255255347", "301527743379964096980997933040507532404", "71612227596357554682401515725270920600", "299490904399019313452172412026378390492", "71962879047266613195068785033495330736", "308375586868443743926771849697112842787", "5695837694089487521148948934220922801", "11497727573043574341907238339817413282", "287641481904851358730420512354555018348", "112298026522885300470890549776052790709", "314490892413925017290992948475146194491", "78541310617131215065574220616429276473", "222249550039722999987906512185799461883", "267222439639796914251981434040591952207", "187465436170710299502948888589123844046", "85196756190627545801528378347478082423", "271120847853824052285664116129678105206", "293007435426808708732828541317132284138", "195561005819661276361807507816859137686", "301682403224686008359860802743155404003" ] }, "id": "ASB-A-253167854-4acc8175", "source": "https://android.googlesource.com/kernel/common/+/4158b1508f2b1", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/rmap.c" }, "signature_type": "Line" }, { "digest": { "length": 749.0, "function_hash": "248798089287116874307980156262571407947" }, "id": "ASB-A-253167854-630a7523", "source": "https://android.googlesource.com/kernel/common/+/4158b1508f2b1", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/rmap.c", "function": "__anon_vma_prepare" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "28529880573164184256702864318383047754", "13882231745604494488027443938890665830", "16698794253301106328322973646249352856", "339657138332194339729048279335610990480", "22055166315496536466008059418266599137", "118371139073832862477863072944397281468" ] }, "id": "ASB-A-253167854-8e0402c8", "source": "https://android.googlesource.com/kernel/common/+/4158b1508f2b1", "deprecated": false, "signature_version": "v1", "target": { "file": "include/linux/rmap.h" }, "signature_type": "Line" }, { "digest": { "length": 749.0, "function_hash": "43011515890785096118418955014559653648" }, "id": "ASB-A-253167854-8e3825c2", "source": "https://android.googlesource.com/kernel/common/+/4158b1508f2b1", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/rmap.c", "function": "unlink_anon_vmas" }, "signature_type": "Function" }, { "digest": { "length": 706.0, "function_hash": "253495737710119128415430282118805701955" }, "id": "ASB-A-253167854-b162bc81", "source": "https://android.googlesource.com/kernel/common/+/4158b1508f2b1", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/rmap.c", "function": "anon_vma_clone" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/4158b1508f2b1" ], "spl": "2023-07-05", "severity": "High", "types": [ "EoP" ] }