In the Linux kernel, the following vulnerability has been resolved:
binder: fix OOB in binderaddfreeze_work()
In binderaddfreezework() we iterate over the proc->nodes with the proc->innerlock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binderdeferredrelease() which removes the nodes from the proc->nodes rbtree and adds them into binderdeadnodes list. This leads to a broken iteration in binderaddfreezework() as rbnext() will use data from binderdeadnodes, triggering an out-of-bounds access:
================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660
CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rbnext+0xfc/0x124 binderaddfreezework+0x344/0x534 binderioctl+0x1e70/0x25ac _arm64sysioctl+0x124/0x190
The buggy address belongs to the variable: binderdeadnodes+0x10/0x40 [...] ==================================================================
This is possible because proc->nodes (rbtree) and binderdeadnodes (list) share entries in binder_node through a union:
struct binder_node {
[...]
union {
struct rb_node rb_node;
struct hlist_node dead_node;
};
Fix the race by checking that the proc is still alive. If not, simply break out of the iteration.