In retrieveptrlimit and related functions of verifier.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 4765.0, "function_hash": "280925786661479790060625219488333451145" }, "id": "PUB-A-190011721-06da4639", "source": "https://android.googlesource.com/kernel/common/+/4e2c7b297431", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "adjust_ptr_min_max_vals" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "262039529909060196131840256906024236091", "270188737281727892283613521542930633652", "202666486935702327703733695467908503678", "206109830977063295313481655814501734546", "292486978687385929434937330953248332427", "328639218135929486931504967438055463412", "62868870917074497638268689937442447168", "320310744290047615038558848755583454387", "261457560931777040427055367791851611644", "68582937390981047386786096394346336561", "262129148996771020818048131033824065966", "112351779731652824777136638711725917188", "190261737873874972819381169079371674881", "303706700695040886962027604386566828839", "10389472930954564919343417650301357378", "3865584324248217866683036343101457061", "58441117975608874748647369726117887541", "79415134364014076933211547464204217671", "317311942449228392442899622207029611134", "135760675079791313916564915763451899558", "32902188230975282252255827147040916814", "204870489292401244044936037152747646290", "25504007323729439322956106711636630733", "172381262836319009699659302504928370105", "136782001053866556956108588732434675271", "10245136483796299734482042581954248075", "322126300342519691672201230491836247048", "108686124283852224623903031889849749709", "202818059168461138909902828253571242458" ] }, "id": "PUB-A-190011721-0f162e85", "source": "https://android.googlesource.com/kernel/common/+/4e2c7b297431", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c" }, "signature_type": "Line" }, { "digest": { "length": 1148.0, "function_hash": "246957723678091566589130391708730684184" }, "id": "PUB-A-190011721-23b47069", "source": "https://android.googlesource.com/kernel/common/+/c87ef240a8bb", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "sanitize_ptr_alu" }, "signature_type": "Function" }, { "digest": { "length": 747.0, "function_hash": "6241484433920322589546792130090738769" }, "id": "PUB-A-190011721-81499f5a", "source": "https://android.googlesource.com/kernel/common/+/c87ef240a8bb", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "retrieve_ptr_limit" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "47427510771680019310194127933122136096", "319713665651579424303318085355357056722", "240756402307389634250126952816184534541", "207370627333112601712375871791117294648" ] }, "id": "PUB-A-190011721-951b2ab4", "source": "https://android.googlesource.com/kernel/common/+/27acfd11ba17", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c" }, "signature_type": "Line" }, { "digest": { "length": 1127.0, "function_hash": "187212921763892443154419825529662340918" }, "id": "PUB-A-190011721-97ef0e8e", "source": "https://android.googlesource.com/kernel/common/+/4e2c7b297431", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "sanitize_ptr_alu" }, "signature_type": "Function" }, { "digest": { "length": 1384.0, "function_hash": "190812588988046212309368991988796455796" }, "id": "PUB-A-190011721-a841515f", "source": "https://android.googlesource.com/kernel/common/+/27acfd11ba17", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "sanitize_ptr_alu" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "3973112015353895427797486632497507088", "109492799880415627359173180119756358953", "151263697241877261312355100598146786640", "227558448847777301654952269804132204619", "48422950799149764877750188752617729560", "322566115669594912920201594012322327461", "39918092637745787937094710157800133725", "27974248861366183145253296694337357657", "278672871784064751746473846623304960395", "10984009763167534490828174999891896918", "36147004044395911372441237840665215257", "273077193668393981112346615424261606026", "89522239158795419087619746193143309496", "57296124109740312822760439108636120772", "39464320438896685214166384935106519725", "271371438596389649210494411959216830846", "160026756588115414011880114991878292752", "4154023463872514507109786054285824972", "84049923922650422497478016294474054196", "225208778956210412871068268981562215833", "288492177735258700518958040474273244828" ] }, "id": "PUB-A-190011721-ae02bd93", "source": "https://android.googlesource.com/kernel/common/+/c87ef240a8bb", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/4e2c7b297431", "https://android.googlesource.com/kernel/common/+/c87ef240a8bb", "https://android.googlesource.com/kernel/common/+/27acfd11ba17" ], "spl": "2021-12-05", "severity": "Moderate", "types": [ "EoP" ] }