CVE-2024-56556

In the Linux kernel, the following vulnerability has been resolved:

binder: fix node UAF in binderaddfreeze_work()

In binderaddfreezework() we iterate over the proc->nodes with the proc->innerlock held. However, this lock is temporarily dropped in order to acquire the node->lock first (lock nesting order). This can race with bindernoderelease() and trigger a use-after-free:

================================================================== BUG: KASAN: slab-use-after-free in rawspin_lock+0xe4/0x19c Write of size 4 at addr ffff53c04c29dd04 by task freeze/640

CPU: 5 UID: 0 PID: 640 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #17 Hardware name: linux,dummy-virt (DT) Call trace: rawspinlock+0xe4/0x19c binderaddfreezework+0x148/0x478 binder_ioctl+0x1e70/0x25ac __arm64sysioctl+0x124/0x190

Allocated by task 637: __kmalloccachenoprof+0x12c/0x27c bindernewnode+0x50/0x700 bindertransaction+0x35ac/0x6f74 binderthreadwrite+0xfb8/0x42a0 binderioctl+0x18f0/0x25ac __arm64sysioctl+0x124/0x190

Freed by task 637: kfree+0xf0/0x330 binderthreadread+0x1e88/0x3a68 binder_ioctl+0x16d8/0x25ac __arm64sysioctl+0x124/0x190 ==================================================================

Fix the race by taking a temporary reference on the node before releasing the proc->inner lock. This ensures the node remains alive while in use.