In several functions of the Android Linux kernel, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "90349997961794140005994283412347607671", "33330146174059506987460899299007733048", "333405777602281207248768250366045409158", "9437249119828905140733911049185923614", "230146267755354811562359335644047689244", "78847786890969535185675340708327893047", "204198407646300911077867939533606828503", "225777822968770784240026837602764288727", "188772174509693946954763946792453575517", "254696216374900701991017979343475924929", "286232029829299807398042304180692032941", "50182187084195876613061918879491888453", "268827395812849400136751120940773080719", "57430635733445739238548161749917906170", "337758918008927829216942535846358460774", "52374486780257004216729473160573811969", "337359644861769469787614553243810373980", "60203788414696144079431764192241925098", "278635761680431502675922502123491894803", "311795377058947205955375909980588384880", "339224540752852382387208977916745122171", "54437077036201331029712062886206145879", "231662307513929131429289230369146654049", "117748129994821568095662716726341289381", "38409544743104477094759950189288221247", "201400259752501890421235440946382221214", "324607262028366708659567422559987261369", "127256245248739780118635074090216326810", "273190731458301690458387772005392519059", "176092484117585210509053173109392899136", "44479797551460979539514177780627940588", "12967738027312931568533064170464958454", "149755519372865311733052869707961052068", "175902000962761333518582847236098404614", "59105900363660926844410309261859658399", "538889251892176561637896479779244880", "227269234091886382935833954437779867645", "62599682106280878832387371397663377395", "260429548720160506740244304234000348532", "289519164162454221233319286473396783531", "151810853550874344260616967139732862208" ] }, "id": "ASB-A-257443051-04360e3b", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/arm64/mm/fault.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "175987319813589939320544428101347308425", "81355071304632501913545894005046657607", "286712988081706539654303465161453327756", "291509442699145851074023602221500049804", "312687034910172620385929360375289439047", "306441057852845127194663198855876104739", "289610286434021659604212321548658205359", "216537303692122383722883669374916911376", "93129400781065904797586029801645263950", "161442424904831991507394645295558863302", "199819447781378841175661417481695150817", "228602708382831907272581625298676472074", "191289145721267978836501166683689708953", "320881220285900115151882708337488966717", "324698525148700124504906195489151568430", "107858299146934385832845265392480619017", "158138459365811558356183903437299148395", "298372342315554677853334846823403983396", "320718532133039333806504216680107152172", "235991785009887317673678571290304362782", "231517677460875203802325096820706380290", "18154702479158792987281938548990703870", "333461159596177451765111719218312864691", "61229569283209288228502996591193709304", "55683042232018505222984111087810496265", "177671343305291990160702528390575244627", "70096681169316112200139066228363782547" ] }, "id": "ASB-A-257443051-0f6d69af", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/fork.c" }, "signature_type": "Line" }, { "digest": { "length": 340.0, "function_hash": "247574521921275082392918268778392699899" }, "id": "ASB-A-257443051-16817eea", "source": "https://android.googlesource.com/kernel/common/+/ca96bd7bf10e62eccc583726be502f219ab02c1e", "deprecated": true, "signature_version": "v1", "target": { "file": "mm/nommu.c", "function": "__find_vma" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "202150568760842936207970370058739858145", "36061958919330756560107959294501527422", "186216907002860401703584664020542021824", "27558272932828544654024251370394432338" ] }, "id": "ASB-A-257443051-26766aef", "source": "https://android.googlesource.com/kernel/common/+/50d2b75b860a6495aac6127a27f75b309e91b689", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/rmap.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "229191064626350713838324552748613217701", "298110321254293125895252720510586242268", "129823111773582098620618320184012427407" ] }, "id": "ASB-A-257443051-590a6d17", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": true, "signature_version": "v1", "target": { "file": "mm/memory.c" }, "signature_type": "Line" }, { "digest": { "length": 296.0, "function_hash": "304224270656147033512245617101240382711" }, "id": "ASB-A-257443051-5b4a5066", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/fork.c", "function": "vm_area_free" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "156685963599492258169727425360014185662", "238600745856232712036511589400244524532", "304213370523799900187940759341940368694", "297124876274695538835061859469291222875", "60013874887765753717666567128730014221", "329326120897325970132462853658070658804", "340149787332029753642551137543091192769", "180573021079073066296669354974424924780", "326985130841906546465949551939203962017", "172323454428466741430637338054629255956", "236284904113255811643181499237406672814", "213574775841200817704416437314853400603", "196281169656912986980731375926752466834" ] }, "id": "ASB-A-257443051-674e4071", "source": "https://android.googlesource.com/kernel/common/+/ca96bd7bf10e62eccc583726be502f219ab02c1e", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mmap.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "107495244874798744029887959353098959620", "309089279031178842774707910566717880104", "147482750705227228292036289846304377249", "137557750825714246603947329889087201491", "324131300247421353052654732280695566387", "324862420182178577650750048117105568843", "1228260130139878720329556233712426866", "274284880338793595387743666369373837552" ] }, "id": "ASB-A-257443051-6db1d3fa", "source": "https://android.googlesource.com/kernel/common/+/533a88fed7d0107eff64d723d853e9a2c4a1053c", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mremap.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "283535518396793826535956934081474873108", "2669960738505225739545333878213748393", "161200334978936742850034182152227747015", "176883152808705061616760747189695735293", "212078564284353733299392021887819118668", "204198407646300911077867939533606828503", "164752008746532384405565435856914454230", "48734980859394105981850888529800160506", "17521398937503191473143967013755486787", "86308018728779471901621197307079352725", "60244002890564584453689078103251183016", "268827395812849400136751120940773080719", "202814779179569414122058626456051225426", "130722769911506741027132657568996064870", "148154783826115610999665662131411323848", "273501878652191767625331110792383400588", "60203788414696144079431764192241925098", "278635761680431502675922502123491894803", "311795377058947205955375909980588384880", "339224540752852382387208977916745122171", "54437077036201331029712062886206145879", "231662307513929131429289230369146654049", "117748129994821568095662716726341289381", "38409544743104477094759950189288221247", "201400259752501890421235440946382221214", "324607262028366708659567422559987261369", "127256245248739780118635074090216326810", "319274653280772053681813587304964432115", "107550976864504162092315980744953915234", "323135307888809759483870274871034548980", "67864239895056451170368489968707931338", "143929440722259153534079025134199158967", "2001341478430462588173697149349390065", "149755519372865311733052869707961052068", "175902000962761333518582847236098404614", "209621486992994374534471927347383296962", "124300029164884976352165487045291386959", "139998833890775143499667766774268001246", "298448879261304466312057690351166964029", "93327184200239926127618015863641635088", "149755519372865311733052869707961052068", "175902000962761333518582847236098404614", "179830911570077284387809679554913390849", "59599782728891466535860303504254156614", "84763462107407810331557305636998350965", "151026915247565011446355289011492127895", "296171499531907385988037117536041313883", "45870060721800295844943652131237747456", "231544623516924583749555990478724686860" ] }, "id": "ASB-A-257443051-74d25446", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/powerpc/mm/fault.c" }, "signature_type": "Line" }, { "digest": { "length": 3870.0, "function_hash": "188714146957860623339706150010987046687" }, "id": "ASB-A-257443051-797ec804", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/powerpc/mm/fault.c", "function": "___do_page_fault" }, "signature_type": "Function" }, { "digest": { "length": 761.0, "function_hash": "121126448024498034494840826277502301605" }, "id": "ASB-A-257443051-7ab44b3b", "source": "https://android.googlesource.com/kernel/common/+/50d2b75b860a6495aac6127a27f75b309e91b689", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/rmap.c", "function": "unlink_anon_vmas" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "65230660445532762996007397126293140723", "97278426426379749107002336789654477557", "161200334978936742850034182152227747015", "176883152808705061616760747189695735293", "307027489443714200184220542382049526318", "204198407646300911077867939533606828503", "164752008746532384405565435856914454230", "48734980859394105981850888529800160506", "17521398937503191473143967013755486787", "86308018728779471901621197307079352725", "60244002890564584453689078103251183016", "268827395812849400136751120940773080719", "202814779179569414122058626456051225426", "130722769911506741027132657568996064870", "148154783826115610999665662131411323848", "273501878652191767625331110792383400588", "60203788414696144079431764192241925098", "278635761680431502675922502123491894803", "311795377058947205955375909980588384880", "339224540752852382387208977916745122171", "54437077036201331029712062886206145879", "231662307513929131429289230369146654049", "117748129994821568095662716726341289381", "38409544743104477094759950189288221247", "201400259752501890421235440946382221214", "324607262028366708659567422559987261369", "127256245248739780118635074090216326810", "15957040965880395749758832587945850100", "206519986382954727830331852672171663395", "20864466908749243996482676896792087007", "151385497125609608957953195751884269440", "149755519372865311733052869707961052068", "175902000962761333518582847236098404614", "179830911570077284387809679554913390849", "59599782728891466535860303504254156614", "84763462107407810331557305636998350965", "151026915247565011446355289011492127895", "143435979801156031744814899357163402818", "77551455440546928173909890983937402998", "191472214570196089178594477514177096424" ] }, "id": "ASB-A-257443051-87b9ed62", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/x86/mm/fault.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "81700678338773074863018501713725247894", "50698360331196292757810054454044932375", "335204455933231430924995672223613401769", "184697530637852874906539774423522135255", "150375175074358220710405373954831660367", "340149787332029753642551137543091192769", "159636192618247159582685955605291225403", "121820265137203358363780543019006426533", "216062756756310966897171174451155256201", "90329303184179043200982817940491424422", "293045555982919206667573360832699542145", "300571343976692096269233302240681406514", "5785280889718316081047986213031488869", "144680077956518283959616875929336339393", "100788919595381097047411152510007643050", "220884027888050459794073188008898298494", "3974968927507212213381530096802112767", "80545221920067591812573844940509936002" ] }, "id": "ASB-A-257443051-91384ef4", "source": "https://android.googlesource.com/kernel/common/+/ca96bd7bf10e62eccc583726be502f219ab02c1e", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/nommu.c" }, "signature_type": "Line" }, { "digest": { "length": 451.0, "function_hash": "151536618048851767232811806267239231843" }, "id": "ASB-A-257443051-9f012bb5", "source": "https://android.googlesource.com/kernel/common/+/ca96bd7bf10e62eccc583726be502f219ab02c1e", "deprecated": false, "signature_version": "v1", "target": { "file": "mm/mmap.c", "function": "__find_vma" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "175925605630129977500607429321439482098", "283758380412923256971152073675571960749", "272900498982581303053079008445667011802", "213565501536761127666321575191622401834", "71218211812465642298037396863403322880", "258709761927682766191126049909863976640", "268365746978759670979097373678111050774", "298608140387694760621932855496906016511", "159531492885290835773938488433943451220", "312049542230174037007266015410897740910", "204568358134380169870240535390479315574" ] }, "id": "ASB-A-257443051-d35302a4", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "include/linux/mm.h" }, "signature_type": "Line" }, { "digest": { "length": 4214.0, "function_hash": "152353335468662850099667088904036137916" }, "id": "ASB-A-257443051-e68506f9", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/x86/mm/fault.c", "function": "do_user_addr_fault" }, "signature_type": "Function" }, { "digest": { "length": 275.0, "function_hash": "298044960508098302873430909542696215386" }, "id": "ASB-A-257443051-e6e96860", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "include/linux/mm.h", "function": "vma_init" }, "signature_type": "Function" }, { "digest": { "length": 3808.0, "function_hash": "98557788917403011131869163971872806062" }, "id": "ASB-A-257443051-e7e2eae8", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/arm64/mm/fault.c", "function": "do_page_fault" }, "signature_type": "Function" }, { "digest": { "length": 150.0, "function_hash": "243599005556346965824282924633813521506" }, "id": "ASB-A-257443051-ec4a9d4d", "source": "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd", "deprecated": false, "signature_version": "v1", "target": { "file": "kernel/fork.c", "function": "__vm_area_free" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/50d2b75b860a6495aac6127a27f75b309e91b689", "https://android.googlesource.com/kernel/common/+/5844c8e7aaa946341f0d30441adc8f2cd97efbfc", "https://android.googlesource.com/kernel/common/+/4ea18cd059a4986a6a6f94a7f6d019b750bece65", "https://android.googlesource.com/kernel/common/+/ca96bd7bf10e62eccc583726be502f219ab02c1e", "https://android.googlesource.com/kernel/common/+/533a88fed7d0107eff64d723d853e9a2c4a1053c", "https://android.googlesource.com/kernel/common/+/a1f65b39ba08a0f24bde9f07921ff48277761132", "https://android.googlesource.com/kernel/common/+/3f311327f910e5c73d5bd602a80afcad371e83cd" ], "spl": "2023-02-05", "severity": "High", "types": [ "EoP" ] }