In doepollctl and eploopcheck_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "5546302996892674695733181081150190713", "254845254488049433364925925329909631002", "61111867128246008456282430160655614650", "287477108854287806242547243331052839356", "68236877813091864302708093933915698115", "241701986920677964397555727463466709105", "277080834881712031923981486806664647673", "158824667307289245702507900316174347151", "7079986297794278244640125217904423066", "333313324903879629285535110877405531974", "75751489068667955072051408444324484418", "138995473984137896688517210729817981360", "178406555186694324031589384626827039474", "180244627870399677721222713516771792152", "38313024542004397305181903134150602153", "291604657342661748843223099276439875606", "257038468580260341064543362812162197302", "258680882647267136425551000568036250174", "82728358833382096016259715752225092144", "200102018146994184616351414251937779109" ] }, "id": "ASB-A-147802478-2f8a7413", "source": "https://android.googlesource.com/kernel/common/+/a9ed4a6560b8", "deprecated": false, "signature_version": "v1", "target": { "file": "fs/eventpoll.c" }, "signature_type": "Line" }, { "digest": { "length": 241.0, "function_hash": "339019174826606143645427579203886136719" }, "id": "ASB-A-147802478-36ff48c6", "source": "https://android.googlesource.com/kernel/common/+/a9ed4a6560b8", "deprecated": false, "signature_version": "v1", "target": { "file": "fs/eventpoll.c", "function": "clear_tfile_check_list" }, "signature_type": "Function" }, { "digest": { "length": 839.0, "function_hash": "287259407574339437852013043003131772390" }, "id": "ASB-A-147802478-82fec563", "source": "https://android.googlesource.com/kernel/common/+/a9ed4a6560b8", "deprecated": false, "signature_version": "v1", "target": { "file": "fs/eventpoll.c", "function": "ep_loop_check_proc" }, "signature_type": "Function" }, { "digest": { "length": 2447.0, "function_hash": "52056042117655767104639557800881983778" }, "id": "ASB-A-147802478-d5c667f7", "source": "https://android.googlesource.com/kernel/common/+/a9ed4a6560b8", "deprecated": false, "signature_version": "v1", "target": { "file": "fs/eventpoll.c", "function": "do_epoll_ctl" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/52c479697c9b", "https://android.googlesource.com/kernel/common/+/a9ed4a6560b8" ], "spl": "2020-12-05", "severity": "High", "types": [ "EoP" ] }