DEBIAN-CVE-2024-56555

In the Linux kernel, the following vulnerability has been resolved: binder: fix OOB in binderaddfreezework() In binderaddfreezework() we iterate over the proc->nodes with the proc->innerlock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binderdeferredrelease() which removes the nodes from the proc->nodes rbtree and adds them into binderdeadnodes list. This leads to a broken iteration in binderaddfreezework() as rbnext() will use data from binderdeadnodes, triggering an out-of-bounds access: ================================================================== BUG: KASAN: global-out-of-bounds in rbnext+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660 CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rbnext+0xfc/0x124 binderaddfreezework+0x344/0x534 binderioctl+0x1e70/0x25ac _arm64sysioctl+0x124/0x190 The buggy address belongs to the variable: binderdeadnodes+0x10/0x40 [...] ================================================================== This is possible because proc->nodes (rbtree) and binderdeadnodes (list) share entries in bindernode through a union: struct bindernode { [...] union { struct rbnode rbnode; struct hlistnode deadnode; }; Fix the race by checking that the proc is still alive. If not, simply break out of the iteration.