ASB-A-213339151

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-213339151.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-213339151
Aliases
  • A-213339151
  • CVE-2021-39802
Published
2022-04-01T00:00:00Z
Modified
2024-08-24T04:42:36Z
Summary
[GKI] Revert mprotect optimization from android12-5.10 branch
Details

In changepterange of mprotect.c , there is a possible way to make a shared mmap writable due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / :linux_kernel:

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
:0
Fixed
:2022-04-05

Affected versions

Other

Kernel

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "26388385448768045903197744812104900847",
                    "36848866001086906351986369137777488679",
                    "246381734631290278259577314290080014830",
                    "292025356104246184942351641166927029170",
                    "289032966299733574939041913647164321221",
                    "319749281976369751617148559791401543651",
                    "173617174932993894428545678489161053335",
                    "18478977818009636697733348297525703618",
                    "303987600062360137456225274697869082737",
                    "211703503418122648368873319370856317786",
                    "223625824251537869180662648970918386677",
                    "155514278188575556479937656422010026274",
                    "262711827158317387919649248485093544159",
                    "320867407498125824499487342931925626326",
                    "262335409017011549160765450881081438972",
                    "43836447096542978042347064419286815983",
                    "212684369356434056530843624369581884882",
                    "290947890044958423638068943395238387273",
                    "205158834634470643564971834578313775589",
                    "234046542991262528636222952799151665572",
                    "116507045666393588100525777585550737554",
                    "316784880375472124503082284181148452803",
                    "183340213450978201184302600116670826334",
                    "213618678633237511562215363816140982358",
                    "298653192486935056634878306779187032061",
                    "74809617335122515717546167645423972713",
                    "27012292030432713556413204819171617142",
                    "41745544533253503058633185501129737274",
                    "120725726624912948596832818613445911804",
                    "98535640408614503003517352597131437199",
                    "98041784561752972404940356950574569322"
                ]
            },
            "id": "ASB-A-213339151-233930ca",
            "source": "https://android.googlesource.com/kernel/common/+/ac4488815518c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "mm/mprotect.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2061.0,
                "function_hash": "40956230839441199247362622370650186968"
            },
            "id": "ASB-A-213339151-40f58064",
            "source": "https://android.googlesource.com/kernel/common/+/ac4488815518c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "mm/mprotect.c",
                "function": "change_pte_range"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 2161.0,
                "function_hash": "172667158180238430828807650673675159960"
            },
            "id": "ASB-A-213339151-453c7d84",
            "source": "https://android.googlesource.com/kernel/common/+/6f9aba5a20b84",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "mm/mprotect.c",
                "function": "change_pte_range"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "183032221916153193182329789789079350147",
                    "95381081053243779011811631504261460723",
                    "295187802818044511120661050196951502232",
                    "106843078633827551088870984421675393694",
                    "328527994405515199974374174615856915895",
                    "83846046281272957785594002941606216354",
                    "164571244075822472549494859400642303646",
                    "294140762355725933546093490834746029535",
                    "314550388758617286576045305298864095241"
                ]
            },
            "id": "ASB-A-213339151-594bff79",
            "source": "https://android.googlesource.com/kernel/common/+/6f9aba5a20b84",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "mm/mprotect.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 491.0,
                "function_hash": "38692348679089118757001497010520826709"
            },
            "id": "ASB-A-213339151-b7eb8f69",
            "source": "https://android.googlesource.com/kernel/common/+/ac4488815518c",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "mm/mprotect.c",
                "function": "may_avoid_write_fault"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "128860355205528359091590660948147595541",
                    "247731958661459105443647129325283961533",
                    "53033447453478338200424833580008824070",
                    "124534619553369977728910052496879958773",
                    "316080425527770938972761145275704448032",
                    "258480643095600329837128299039529690021",
                    "183032221916153193182329789789079350147",
                    "40058328818126488230781505731627049449",
                    "124786915141688956432099356590562712532",
                    "215305075731189509433518994006740494531",
                    "328527994405515199974374174615856915895",
                    "83846046281272957785594002941606216354",
                    "164571244075822472549494859400642303646",
                    "294140762355725933546093490834746029535",
                    "314550388758617286576045305298864095241"
                ]
            },
            "id": "ASB-A-213339151-cca6a438",
            "source": "https://android.googlesource.com/kernel/common/+/b44e46bb047d1",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "mm/mprotect.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 2161.0,
                "function_hash": "172667158180238430828807650673675159960"
            },
            "id": "ASB-A-213339151-f3d50201",
            "source": "https://android.googlesource.com/kernel/common/+/b44e46bb047d1",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "mm/mprotect.c",
                "function": "change_pte_range"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/kernel/common/+/ac4488815518c",
        "https://android.googlesource.com/kernel/common/+/b44e46bb047d1",
        "https://android.googlesource.com/kernel/common/+/67d075d23a8bc",
        "https://android.googlesource.com/kernel/common/+/6f9aba5a20b84"
    ],
    "spl": "2022-04-05",
    "severity": "High",
    "types": [
        "EoP"
    ]
}