ASB-A-299123598
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-299123598.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-299123598
- Aliases
-
- A-299123598
- CVE-2023-4622
- Published
- 2024-05-01T00:00:00Z
- Modified
- 2024-08-07T19:29:49.331173Z
- Summary
- Linux Kernel Race Condition leads to UAF in Unix Domain Socket and causes LPE in Android
- Details
-
In unixstreamsendpage of af_unix.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
-
- https://source.android.com/security/bulletin/2024-05-01
- https://android.googlesource.com/kernel/common/+/e6ed59127c865
- https://android.googlesource.com/kernel/common/+/790c2f9d15b59
- https://android.googlesource.com/kernel/common/+/84d3e59750bbd
- https://android.googlesource.com/kernel/common/+/d39fc9b94dc07
Affected packages
Android / :linux_kernel:
Package
- Name
- :linux_kernel:
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 2118.0,
"function_hash": "74578476663412431466883751391350733343"
},
"id": "ASB-A-299123598-00d992af",
"source": "https://android.googlesource.com/kernel/common/+/d39fc9b94dc07",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/unix/af_unix.c",
"function": "unix_stream_sendpage"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"248950612756612724065093709972738325357",
"279144108549210949441020903890615322329",
"16220953337162752779916020803348486468",
"203654826256204033757231210560604153267",
"260522720799231029387729392220418790987",
"86655572250296221835706980117084759542",
"322983119535394844659808779319684898409",
"30135840773779090171591045457747543630",
"291436812016123704043265508278090069461",
"166185117026504118168859716872522459700",
"30516924935334657074735959066607922916",
"166699174247796674368467584101246118722",
"175578990280298867692057496702032737660",
"207591957364424589282195218120637294974",
"152852358735968692568757231492658828030",
"137510011422766836065820052306096440041",
"241416977303368234603546312521807009668"
]
},
"id": "ASB-A-299123598-4f5d4535",
"source": "https://android.googlesource.com/kernel/common/+/d39fc9b94dc07",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/unix/af_unix.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"248950612756612724065093709972738325357",
"279144108549210949441020903890615322329",
"16220953337162752779916020803348486468",
"203654826256204033757231210560604153267",
"260522720799231029387729392220418790987",
"86655572250296221835706980117084759542",
"322983119535394844659808779319684898409",
"30135840773779090171591045457747543630",
"291436812016123704043265508278090069461",
"166185117026504118168859716872522459700",
"30516924935334657074735959066607922916",
"166699174247796674368467584101246118722",
"175578990280298867692057496702032737660",
"207591957364424589282195218120637294974",
"152852358735968692568757231492658828030",
"137510011422766836065820052306096440041",
"241416977303368234603546312521807009668"
]
},
"id": "ASB-A-299123598-569f3979",
"source": "https://android.googlesource.com/kernel/common/+/84d3e59750bbd",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/unix/af_unix.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 2118.0,
"function_hash": "74578476663412431466883751391350733343"
},
"id": "ASB-A-299123598-6c337f83",
"source": "https://android.googlesource.com/kernel/common/+/790c2f9d15b59",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/unix/af_unix.c",
"function": "unix_stream_sendpage"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"248950612756612724065093709972738325357",
"279144108549210949441020903890615322329",
"16220953337162752779916020803348486468",
"203654826256204033757231210560604153267",
"260522720799231029387729392220418790987",
"86655572250296221835706980117084759542",
"322983119535394844659808779319684898409",
"30135840773779090171591045457747543630",
"291436812016123704043265508278090069461",
"166185117026504118168859716872522459700",
"30516924935334657074735959066607922916",
"166699174247796674368467584101246118722",
"175578990280298867692057496702032737660",
"207591957364424589282195218120637294974",
"152852358735968692568757231492658828030",
"137510011422766836065820052306096440041",
"241416977303368234603546312521807009668"
]
},
"id": "ASB-A-299123598-8be56e5e",
"source": "https://android.googlesource.com/kernel/common/+/790c2f9d15b59",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/unix/af_unix.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"248950612756612724065093709972738325357",
"279144108549210949441020903890615322329",
"16220953337162752779916020803348486468",
"203654826256204033757231210560604153267",
"260522720799231029387729392220418790987",
"86655572250296221835706980117084759542",
"322983119535394844659808779319684898409",
"30135840773779090171591045457747543630",
"291436812016123704043265508278090069461",
"166185117026504118168859716872522459700",
"30516924935334657074735959066607922916",
"166699174247796674368467584101246118722",
"175578990280298867692057496702032737660",
"207591957364424589282195218120637294974",
"152852358735968692568757231492658828030",
"137510011422766836065820052306096440041",
"241416977303368234603546312521807009668"
]
},
"id": "ASB-A-299123598-8ee8e9ea",
"source": "https://android.googlesource.com/kernel/common/+/e6ed59127c865",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/unix/af_unix.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 2118.0,
"function_hash": "74578476663412431466883751391350733343"
},
"id": "ASB-A-299123598-aadcf96a",
"source": "https://android.googlesource.com/kernel/common/+/84d3e59750bbd",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/unix/af_unix.c",
"function": "unix_stream_sendpage"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2118.0,
"function_hash": "74578476663412431466883751391350733343"
},
"id": "ASB-A-299123598-f97e8ab2",
"source": "https://android.googlesource.com/kernel/common/+/e6ed59127c865",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "net/unix/af_unix.c",
"function": "unix_stream_sendpage"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/kernel/common/+/e6ed59127c865",
"https://android.googlesource.com/kernel/common/+/790c2f9d15b59",
"https://android.googlesource.com/kernel/common/+/84d3e59750bbd",
"https://android.googlesource.com/kernel/common/+/d39fc9b94dc07"
],
"spl": "2024-05-05",
"severity": "High",
"types": [
"EoP"
]
}