PUB-A-205573273
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/PUB-A-205573273.json
- JSON Data
- https://api.osv.dev/v1/vulns/PUB-A-205573273
- Aliases
-
- A-205573273
- CVE-2021-39714
- Published
- 2022-08-01T00:00:00Z
- Modified
- 2024-08-29T06:57:55.557476Z
- Summary
- reference count of ion_handle_kmap can be overflow
- Details
-
In ionbufferkmap_get of ion.c, there is a possible use-after-free due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
-
- https://source.android.com/security/bulletin/2022-08-01
- https://android.googlesource.com/kernel/common/+/721fb79e0eccd371a70054726dfe6931e6ed23e4
- https://android.googlesource.com/kernel/common/+/0d752f78b20dbe4eeb9bc76f118889f1898948ca
- https://android.googlesource.com/kernel/common/+/f48f8f7c3fdc21f34c45a7b3eeafb3109cf3340f
- https://android.googlesource.com/kernel/common/+/7f04e0c309811e762872a7ce71fba9cb359dd2c0
- https://android.googlesource.com/kernel/common/+/b6b3781a
- https://android.googlesource.com/kernel/common/+/618a931c
Affected packages
Android / :linux_kernel:
Package
- Name
- :linux_kernel:
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 377.0,
"function_hash": "143589944968431461125676622989324634605"
},
"id": "PUB-A-205573273-09e8f23e",
"source": "https://android.googlesource.com/kernel/common/+/7f04e0c309811e762872a7ce71fba9cb359dd2c0",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion_buffer.c",
"function": "ion_buffer_kmap_get"
},
"signature_type": "Function"
},
{
"digest": {
"length": 410.0,
"function_hash": "4219159529549243608601486086579260767"
},
"id": "PUB-A-205573273-1f2ed4d0",
"source": "https://android.googlesource.com/kernel/common/+/618a931c",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion.c",
"function": "ion_buffer_kmap_get"
},
"signature_type": "Function"
},
{
"digest": {
"length": 410.0,
"function_hash": "4219159529549243608601486086579260767"
},
"id": "PUB-A-205573273-2f0f89ff",
"source": "https://android.googlesource.com/kernel/common/+/b6b3781a",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion.c",
"function": "ion_buffer_kmap_get"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"32066693641211963378462662023135189242",
"316971968143812374367631972781890494004",
"39606589143636630290617244170557724983",
"334251420500601506650157017286537155759"
]
},
"id": "PUB-A-205573273-37e0126f",
"source": "https://android.googlesource.com/kernel/common/+/721fb79e0eccd371a70054726dfe6931e6ed23e4",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion_buffer.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 377.0,
"function_hash": "143589944968431461125676622989324634605"
},
"id": "PUB-A-205573273-43d66593",
"source": "https://android.googlesource.com/kernel/common/+/721fb79e0eccd371a70054726dfe6931e6ed23e4",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion_buffer.c",
"function": "ion_buffer_kmap_get"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"32066693641211963378462662023135189242",
"316971968143812374367631972781890494004",
"39606589143636630290617244170557724983",
"334251420500601506650157017286537155759"
]
},
"id": "PUB-A-205573273-557f96a3",
"source": "https://android.googlesource.com/kernel/common/+/7f04e0c309811e762872a7ce71fba9cb359dd2c0",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion_buffer.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"65934957145507903299536105905483557201",
"316971968143812374367631972781890494004",
"39606589143636630290617244170557724983",
"334251420500601506650157017286537155759"
]
},
"id": "PUB-A-205573273-869d9f05",
"source": "https://android.googlesource.com/kernel/common/+/618a931c",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"32066693641211963378462662023135189242",
"316971968143812374367631972781890494004",
"39606589143636630290617244170557724983",
"334251420500601506650157017286537155759"
]
},
"id": "PUB-A-205573273-8d505e31",
"source": "https://android.googlesource.com/kernel/common/+/0d752f78b20dbe4eeb9bc76f118889f1898948ca",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion_buffer.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"65934957145507903299536105905483557201",
"316971968143812374367631972781890494004",
"39606589143636630290617244170557724983",
"334251420500601506650157017286537155759"
]
},
"id": "PUB-A-205573273-8e5aa7fd",
"source": "https://android.googlesource.com/kernel/common/+/b6b3781a",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 377.0,
"function_hash": "143589944968431461125676622989324634605"
},
"id": "PUB-A-205573273-9298d123",
"source": "https://android.googlesource.com/kernel/common/+/0d752f78b20dbe4eeb9bc76f118889f1898948ca",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion_buffer.c",
"function": "ion_buffer_kmap_get"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"32066693641211963378462662023135189242",
"316971968143812374367631972781890494004",
"39606589143636630290617244170557724983",
"334251420500601506650157017286537155759"
]
},
"id": "PUB-A-205573273-a4efcae2",
"source": "https://android.googlesource.com/kernel/common/+/f48f8f7c3fdc21f34c45a7b3eeafb3109cf3340f",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion_buffer.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 377.0,
"function_hash": "143589944968431461125676622989324634605"
},
"id": "PUB-A-205573273-fdd0d6c6",
"source": "https://android.googlesource.com/kernel/common/+/f48f8f7c3fdc21f34c45a7b3eeafb3109cf3340f",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/staging/android/ion/ion_buffer.c",
"function": "ion_buffer_kmap_get"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/kernel/common/+/721fb79e0eccd371a70054726dfe6931e6ed23e4",
"https://android.googlesource.com/kernel/common/+/0d752f78b20dbe4eeb9bc76f118889f1898948ca",
"https://android.googlesource.com/kernel/common/+/f48f8f7c3fdc21f34c45a7b3eeafb3109cf3340f",
"https://android.googlesource.com/kernel/common/+/7f04e0c309811e762872a7ce71fba9cb359dd2c0",
"https://android.googlesource.com/kernel/common/+/b6b3781a",
"https://android.googlesource.com/kernel/common/+/618a931c"
],
"spl": "2022-08-05",
"severity": "Moderate",
"types": [
"EoP"
]
}