In scalar32minmax_and and related functions of verifier.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "268499432086453695461947937618132504191", "28815938530547566872089506784012690491", "190249717404772973009232995727446553294", "892011757368294255456249402586808", "169157662988703443093812581696368870495", "164990137553000868715299285382475257910", "274206896470356226171965700578067493898", "221821354740958865665602509088646630295", "24494322262459022987948695924122194094", "52159526969827808443106630344937546106", "31150567897263568674238775655651999062", "145625396532889948601410605337963483547", "225831300382367568389693673335474818463", "215280045947733659077807428387251882948", "86066530608005036843640802640091308736", "207113241709726354256977052671213352080", "273868692051937357954194199866523804351", "241128842217725226294423682710901380641" ] }, "id": "PUB-A-190876666-a169f7fe", "source": "https://android.googlesource.com/kernel/common/+/049c4e13714ecbca567b4d5f6d563f05d431c80e", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c" }, "signature_type": "Line" }, { "digest": { "length": 576.0, "function_hash": "142109818106845907477021006749781667817" }, "id": "PUB-A-190876666-a2f0260c", "source": "https://android.googlesource.com/kernel/common/+/049c4e13714ecbca567b4d5f6d563f05d431c80e", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "scalar32_min_max_xor" }, "signature_type": "Function" }, { "digest": { "length": 641.0, "function_hash": "299568570170953130355747991110553210298" }, "id": "PUB-A-190876666-db89051d", "source": "https://android.googlesource.com/kernel/common/+/049c4e13714ecbca567b4d5f6d563f05d431c80e", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "scalar32_min_max_or" }, "signature_type": "Function" }, { "digest": { "length": 628.0, "function_hash": "179472125740756203902497080671537141265" }, "id": "PUB-A-190876666-f40bb38e", "source": "https://android.googlesource.com/kernel/common/+/049c4e13714ecbca567b4d5f6d563f05d431c80e", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/bpf/verifier.c", "function": "scalar32_min_max_and" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/049c4e13714ecbca567b4d5f6d563f05d431c80e" ], "spl": "2021-10-05", "severity": "Moderate", "types": [ "EoP" ] }