CVE-2021-46935

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-46935
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46935.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-46935
Related
Published
2024-02-27T10:15:07Z
Modified
2024-09-18T03:17:15.492764Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix asyncfreespace accounting for empty parcels

In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") fixed a kernel structure visibility issue. As part of that patch, sizeof(void *) was used as the buffer size for 0-length data payloads so the driver could detect abusive clients sending 0-length asynchronous transactions to a server by enforcing limits on asyncfreesize.

Unfortunately, on the "free" side, the accounting of asyncfreespace did not add the sizeof(void *) back. The result was that up to 8-bytes of asyncfreespace were leaked on every async transaction of 8-bytes or less. These small transactions are uncommon, so this accounting issue has gone undetected for several years.

The fix is to use "buffersize" (the allocated buffer size) instead of "size" (the logical buffer size) when updating the asyncfree_space during the free operation. These are the same except for this corner case of asynchronous transactions with payloads < 8 bytes.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.92-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}