CVE-2023-54157

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-54157
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54157.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-54157
Downstream
Published
2025-12-24T13:07:06.764Z
Modified
2025-12-24T21:19:38.810560Z
Summary
binder: fix UAF of alloc->vma in race with munmap()
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix UAF of alloc->vma in race with munmap()

[ cmllamas: clean forward port from commit 015ac18be7de ("binder: fix UAF of alloc->vma in race with munmap()") in 5.10 stable. It is needed in mainline after the revert of commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA") as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ]

In commit 720c24192404 ("ANDROID: binder: change downwrite to downread") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binderupdatepagerange(). This used to be accurate until commit dd2283f2605e ("mm: mmap: zap pages with read mmapsem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held.

This means that accesses to alloc->vma in binderupdatepagerange() now will race with vmarea_free() in munmap() and can cause a UAF as shown in the following KASAN trace:

================================================================== BUG: KASAN: use-after-free in vminsertpage+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558

CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0x0/0x2a0 showstack+0x18/0x2c dumpstack+0xf8/0x164 printaddressdescription.constprop.0+0x9c/0x538 kasanreport+0x120/0x200 _asanload8+0xa0/0xc4 vminsertpage+0x7c/0x1f0 binderupdatepagerange+0x278/0x50c binderallocnewbuf+0x3f0/0xba0 bindertransaction+0x64c/0x3040 binderthreadwrite+0x924/0x2020 binderioctl+0x1610/0x2e5c _arm64sysioctl+0xd4/0x120 el0svccommon.constprop.0+0xac/0x270 doel0svc+0x38/0xa0 el0svc+0x1c/0x2c el0synchandler+0xe8/0x114 el0_sync+0x180/0x1c0

Allocated by task 559: kasansavestack+0x38/0x6c _kasankmalloc.constprop.0+0xe4/0xf0 kasanslaballoc+0x18/0x2c kmemcachealloc+0x1b0/0x2d0 vmareaalloc+0x28/0x94 mmapregion+0x378/0x920 dommap+0x3f0/0x600 vmmmappgoff+0x150/0x17c ksysmmappgoff+0x284/0x2dc _arm64sysmmap+0x84/0xa4 el0svccommon.constprop.0+0xac/0x270 doel0svc+0x38/0xa0 el0svc+0x1c/0x2c el0synchandler+0xe8/0x114 el0_sync+0x180/0x1c0

Freed by task 560: kasansavestack+0x38/0x6c kasansettrack+0x28/0x40 kasansetfreeinfo+0x24/0x4c _kasanslabfree+0x100/0x164 kasanslabfree+0x14/0x20 kmemcachefree+0xc4/0x34c vmareafree+0x1c/0x2c removevma+0x7c/0x94 _domunmap+0x358/0x710 _vmmunmap+0xbc/0x130 _arm64sysmunmap+0x4c/0x64 el0svccommon.constprop.0+0xac/0x270 doel0svc+0x38/0xa0 el0svc+0x1c/0x2c el0synchandler+0xe8/0x114 el0sync+0x180/0x1c0

[...] ==================================================================

To prevent the race above, revert back to taking the mmap write lock inside binderupdatepage_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54157.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dd2283f2605e3b3e9c61bcae844b34f2afa4813f
Fixed
1bb8a65190d45cd5c7dbc85e29b9102110cd6be6
Fixed
931ea1ed31be939c1efdbc49bc66d2a45684f9b4
Fixed
ca0cc0a9c6e56c699e2acbb93d8024523021f3c3
Fixed
d1d8875c8c13517f6fd1ff8d4d3e1ac366a17e07

Affected versions

v4.*
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.100
v5.15.101
v5.15.102
v5.15.103
v5.15.104
v5.15.105
v5.15.106
v5.15.107
v5.15.108
v5.15.109
v5.15.11
v5.15.110
v5.15.111
v5.15.112
v5.15.113
v5.15.114
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.79
v5.15.8
v5.15.80
v5.15.81
v5.15.82
v5.15.83
v5.15.84
v5.15.85
v5.15.86
v5.15.87
v5.15.88
v5.15.89
v5.15.9
v5.15.90
v5.15.91
v5.15.92
v5.15.93
v5.15.94
v5.15.95
v5.15.96
v5.15.97
v5.15.98
v5.15.99
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.4-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54157.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.15.115
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.31
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.3.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54157.json"