CVE-2024-56553

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56553
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56553.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-56553
Downstream
Published
2024-12-27T14:22:54.859Z
Modified
2025-11-20T06:54:14.235467Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
binder: fix memleak of proc->delivered_freeze
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix memleak of proc->delivered_freeze

If a freeze notification is cleared with BCCLEARFREEZENOTIFICATION before calling binderfreezenotificationdone(), then it is detached from its reference (e.g. ref->freeze) but the work remains queued in proc->deliveredfreeze. This leads to a memory leak when the process exits as any pending entries in proc->deliveredfreeze are not freed:

unreferenced object 0xffff38e8cfa36180 (size 64): comm "binder-util", pid 655, jiffies 4294936641 hex dump (first 32 bytes): b8 e9 9e c8 e8 38 ff ff b8 e9 9e c8 e8 38 ff ff .....8.......8.. 0b 00 00 00 00 00 00 00 3c 1f 4b 00 00 00 00 00 ........<.K..... backtrace (crc 95983b32): [<000000000d0582cf>] kmemleakalloc+0x34/0x40 [<000000009c99a513>] _kmalloccachenoprof+0x208/0x280 [<00000000313b1704>] binderthreadwrite+0xdec/0x439c [<000000000cbd33bb>] binderioctl+0x1b68/0x22cc [<000000002bbedeeb>] _arm64sysioctl+0x124/0x190 [<00000000b439adee>] invokesyscall+0x6c/0x254 [<00000000173558fc>] el0svccommon.constprop.0+0xac/0x230 [<0000000084f72311>] doel0svc+0x40/0x58 [<000000008b872457>] el0svc+0x38/0x78 [<00000000ee778653>] el0t64synchandler+0x120/0x12c [<00000000a8ec61bf>] el0t64_sync+0x190/0x194

This patch fixes the leak by ensuring that any pending entries in proc->deliveredfreeze are freed during binderdeferred_release().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d579b04a52a183db47dfcb7a44304d7747d551e1
Fixed
b8b77712142fb146fe18d2253bc8a798d522e427
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d579b04a52a183db47dfcb7a44304d7747d551e1
Fixed
1db76ec2b4b206ff943e292a0b55e68ff3443598

Affected versions

v6.*

v6.11
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.2
v6.12.3

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "drivers/android/binder.c",
            "function": "binder_release_work"
        },
        "digest": {
            "length": 1341.0,
            "function_hash": "276602875509664814439041575819987123575"
        },
        "id": "CVE-2024-56553-4855e5b5",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1db76ec2b4b206ff943e292a0b55e68ff3443598",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "drivers/android/binder.c"
        },
        "digest": {
            "line_hashes": [
                "334383635062183009416921975544598630796",
                "139632914586901389961181528042456615476",
                "134174389588705606800713851869482212888",
                "149950396740673566696065313646766517241",
                "187394266874894317537480319118752562415",
                "53907047774767216253491009572073104257",
                "213553341558570819513779766777008442531",
                "34721572320960131391487640990413752406"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-56553-83f342cd",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1db76ec2b4b206ff943e292a0b55e68ff3443598",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "drivers/android/binder.c",
            "function": "binder_deferred_release"
        },
        "digest": {
            "length": 1771.0,
            "function_hash": "325870005059453996074979729708802654159"
        },
        "id": "CVE-2024-56553-bb4e9164",
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1db76ec2b4b206ff943e292a0b55e68ff3443598",
        "deprecated": false,
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.4