ASB-A-200688826
See a problem?- Import Source
- https://storage.googleapis.com/android-osv-test/ASB-A-200688826.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-200688826
- Aliases
-
- A-200688826
- CVE-2021-39686
- Published
- 2022-03-01T00:00:00Z
- Modified
- 2024-09-19T16:28:07.733355Z
- Summary
- binder SELinux checks are racy wrt concurrent execve()
- Details
-
In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
-
- https://source.android.com/security/bulletin/2022-03-01
- https://android.googlesource.com/kernel/common/+/d49297739550
- https://android.googlesource.com/kernel/common/+/3af7a2f61023
- https://android.googlesource.com/kernel/common/+/11db2de0af2a
- https://android.googlesource.com/kernel/common/+/a4eacf3227bd
Affected packages
Android / :linux_kernel:
Package
- Name
- :linux_kernel:
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 555.0,
"function_hash": "231407837190042573094156491589834243533"
},
"id": "ASB-A-200688826-11481815",
"source": "https://android.googlesource.com/kernel/common/+/d49297739550",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_free_proc"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"126683134176863470776868207136906914994",
"38713954720882132583903179716217917347",
"326893740105109937475759468122592924322",
"176910736974583919846835855928308724919",
"265314323873325083967345510800906385487",
"240682525509061376096596629109040678512",
"100223005864230666850221539740342201950",
"19475149632549597688432411711795234224",
"205178011758843003851090885871744212277",
"111318331972585815938292775316587303518",
"27801809098600170551150509610058461658",
"142770307936741376932770861364582651881",
"173441072849544000582352884120576204158",
"277097587211441045543691150770193867443",
"215597700148302091766435222561136143089",
"164453647142885321008171126345005053377",
"105675256379209094124693585282241930011",
"97341013175794610867792420283140963326",
"268457702880548025087106014816669219248",
"340250336334142126175866459841228586054",
"324025243790996693988771697812685073962",
"274942730410906923493771723543464266629",
"81420709793705465678489964396352122341",
"268457702880548025087106014816669219248",
"119884574446635250263676569147258115210",
"323845550879701923636485821535960459223",
"238112787265049397117793353658642573600",
"207364602890292108503816485398790817653",
"319163664486232603558015889334596442358"
]
},
"id": "ASB-A-200688826-202e3619",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/security.h"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"105656823417883503715911137841006902801",
"332894221148265009623728853548189631123",
"267932359235310397240227903404830068709",
"88921030126102850122237358355427132319",
"252483249709895504749933195698470932509",
"14867552185965697716111542756816071771",
"94578123680325147249013171681837192285",
"195539343826828087033425429676324569363",
"231951434973904744963395791611522003357",
"234324142664819444171817808950148743001",
"325487016174712765183301543079751918236",
"86330567057262051968858215193338561342",
"10406308359614255641143292291812852284",
"245318693255130450329193901280301637959",
"158524313061522962023020458782280771245",
"244936256926537336968085364693560036082",
"138771037490280290200804945147220330405",
"139684673098713170975780252257393988710",
"329312122471065943862601464726279321323",
"211329276377476893153111018812506344861",
"251933005008011460804460918138603157190",
"185064926321514459261328551509859387450",
"262099218877840394946915497296966971322",
"55752847120026311214321880033677016305",
"36098467878721687305074030629633732301",
"335475855804350695822375460819936923990",
"73463107392000075330653437567216590840",
"276573047943312651880844638558538715775"
]
},
"id": "ASB-A-200688826-26cd0a81",
"source": "https://android.googlesource.com/kernel/common/+/d49297739550",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 139.0,
"function_hash": "65380354718387744503550318465511248520"
},
"id": "ASB-A-200688826-2c2b4e64",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/security.c",
"function": "security_binder_transfer_file"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"115479731058651618879635674085427059611",
"72120252236892090336450142209295579130",
"225779625634544484729459186312241608396",
"40621910807807358661194720316662914600",
"205011296305411288306961315682610200705",
"158248690466332669564129579416137524947",
"225779625634544484729459186312241608396",
"40621910807807358661194720316662914600",
"15640223675261419083899032276689741850",
"69596134765492017962586662485546701164",
"225980230840136316486052230238854125220",
"273221016821390250554787874858438522450",
"14027153297497793543007811270484422296",
"198125727150250665410372585268834271335",
"40168202033594379166677830584961784524",
"180857587354089569214436508104579704003",
"66304824172014453611408237956631714642",
"318417166714628621822503273675729090955",
"270685634687976528228545305212573412274",
"294885512704247874900355559892433124187",
"203321934675788844893427541923073504361"
]
},
"id": "ASB-A-200688826-3f98e6ec",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"325383347217087307434268333834049752529",
"307735939237918491921518799474930705577",
"265828607440514955408070850130527549444",
"323992307684146705106304964038574925816"
]
},
"id": "ASB-A-200688826-43d76f22",
"source": "https://android.googlesource.com/kernel/common/+/a4eacf3227bd",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"18179044106849088846855270647796054032",
"71730960146828084310854430289046494285",
"207107414340678828393377400823892753561",
"293613484112685522537529427321942368706",
"40893513029524938786806032659761112089",
"239406745835948555721156400961422076474",
"38798257102643414782027381581705193012",
"239593933893688860784893650936686007604",
"30454635709260189958671343075608643229",
"164355070642847119160138535238979857747",
"168955031598242100928987626095106504902",
"84472222668193976025269966123023581094",
"320865486886444889239756814764967315254",
"180564672791274128234216660747135130191",
"192598579777353139023398315890684550605",
"199074591680433746384154904583903132529",
"184308095363039105888070374692699170333",
"270251776508142616124323372083129230397",
"168036410668146965694132251330986206927",
"266649824571816462609075430062356701149",
"316233409035608813833836772327733242530",
"94557117925477471146211273148946859917",
"120129915903795129425975502979905223129",
"12619622551066257608969231274202335256",
"209516585675740738281618771300149545404",
"77268229706952586748549723298106938581",
"98575381110204222696170439394556499295",
"285380294390076565002794058997580445378",
"192153643477588373989308467294902147495",
"147108566507228044965960596111429213090",
"301939550545774062346284848601270393555",
"288014247260680070566586518637501135783",
"193586167227783697672097906766135579138",
"178904719520538795918035587160378402688",
"141888222529898317152170067303488982145",
"44071077992038026358523321340144208154",
"62510279387472005093802200162666095245",
"78352868298390049763754312108783032652"
]
},
"id": "ASB-A-200688826-499dbb92",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/selinux/hooks.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 204.0,
"function_hash": "144219858464324755008783790360640440619"
},
"id": "ASB-A-200688826-4ce2d4cf",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/selinux/hooks.c",
"function": "selinux_binder_set_context_mgr"
},
"signature_type": "Function"
},
{
"digest": {
"length": 396.0,
"function_hash": "275759781468628232113928053500850660921"
},
"id": "ASB-A-200688826-56ff6053",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/selinux/hooks.c",
"function": "selinux_binder_transaction"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1106.0,
"function_hash": "14533697915353012148119803724869010614"
},
"id": "ASB-A-200688826-68828f5d",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_ioctl_set_ctx_mgr"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1709.0,
"function_hash": "265074062221304891916913369698226648735"
},
"id": "ASB-A-200688826-857f3ccd",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_translate_handle"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"270894372891929137708113416126825917809",
"292336947073988240969255104031349503524",
"288849225800119384948072770420950962530",
"264845512587866129356757207966579053432",
"203671856128089170454920366150028440991",
"157243101463160834399772499024083915209",
"231070169673542246157074609168966926205"
]
},
"id": "ASB-A-200688826-867919bd",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/lsm_hook_defs.h"
},
"signature_type": "Line"
},
{
"digest": {
"length": 16781.0,
"function_hash": "142731350329892688305715321941720870032"
},
"id": "ASB-A-200688826-8a5e7c2c",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_transaction"
},
"signature_type": "Function"
},
{
"digest": {
"length": 219.0,
"function_hash": "44945908081277697215052918151646845745"
},
"id": "ASB-A-200688826-9240429d",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/selinux/hooks.c",
"function": "selinux_binder_transfer_binder"
},
"signature_type": "Function"
},
{
"digest": {
"length": 93.0,
"function_hash": "95105541587093829148411427664706937594"
},
"id": "ASB-A-200688826-9ab9e976",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/security.c",
"function": "security_binder_set_context_mgr"
},
"signature_type": "Function"
},
{
"digest": {
"length": 16799.0,
"function_hash": "54234820591239460562704600920904070185"
},
"id": "ASB-A-200688826-9c3255b0",
"source": "https://android.googlesource.com/kernel/common/+/a4eacf3227bd",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_transaction"
},
"signature_type": "Function"
},
{
"digest": {
"length": 117.0,
"function_hash": "158581916644402848848693402248860046509"
},
"id": "ASB-A-200688826-9ebbecf9",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/security.c",
"function": "security_binder_transfer_binder"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"123941007659038979827173616659108527901",
"146005798303631116711067585617052905066",
"307197341495924396493535256342544686685",
"5829114062206061382307591821715992335"
]
},
"id": "ASB-A-200688826-a1a21e00",
"source": "https://android.googlesource.com/kernel/common/+/11db2de0af2a",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 1177.0,
"function_hash": "36600205378999285488058314823190884601"
},
"id": "ASB-A-200688826-a7fddecf",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_translate_fd"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"23375747562566563857112845491542362359",
"44393964508846939656371435613571986135",
"68703338785981693882845493494700964977",
"150434377807740252526128317684769148094",
"233619380623688310956846033915399007720",
"104766539655022086744985088648485179395",
"236903956655660921899125707748150152415",
"75667745691304065275392437315551213768",
"120871262221703055822838860445459359556",
"205073129273949571481870511178738439725",
"212643725146793189449712077269332311911",
"67028431121051968623211596376581675990",
"248370723500031091888243380994349816017",
"9917094445828572398049856451928856987",
"247930277218549001949406740456389210975",
"61074542653786060871431593927803224799",
"297696395738555972448900130071738009325",
"116708056164056894005122436041387570337",
"52252935602424721753124088552714828855"
]
},
"id": "ASB-A-200688826-b68c3d02",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/security.c"
},
"signature_type": "Line"
},
{
"digest": {
"length": 16780.0,
"function_hash": "142694543363166549731969492745042247747"
},
"id": "ASB-A-200688826-bdedafdb",
"source": "https://android.googlesource.com/kernel/common/+/d49297739550",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_transaction"
},
"signature_type": "Function"
},
{
"digest": {
"length": 710.0,
"function_hash": "77996106764272309794010699920419347728"
},
"id": "ASB-A-200688826-c66589d3",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/selinux/hooks.c",
"function": "selinux_binder_transfer_file"
},
"signature_type": "Function"
},
{
"digest": {
"length": 2262.0,
"function_hash": "57742622803375176738804766632604004063"
},
"id": "ASB-A-200688826-c736e444",
"source": "https://android.googlesource.com/kernel/common/+/d49297739550",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_open"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"64150869290686575083186690153260310400",
"136075930780036996911694635467234938593",
"226743432505998202994331860352006131834"
]
},
"id": "ASB-A-200688826-cd640dd3",
"source": "https://android.googlesource.com/kernel/common/+/d49297739550",
"deprecated": true,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder_internal.h"
},
"signature_type": "Line"
},
{
"digest": {
"length": 113.0,
"function_hash": "332577417780383466937613046884585432468"
},
"id": "ASB-A-200688826-d7657601",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "security/security.c",
"function": "security_binder_transaction"
},
"signature_type": "Function"
},
{
"digest": {
"length": 1244.0,
"function_hash": "85518337345665821497069842466247453010"
},
"id": "ASB-A-200688826-e4011b0d",
"source": "https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_translate_binder"
},
"signature_type": "Function"
},
{
"digest": {
"length": 16793.0,
"function_hash": "143490369972289889972572789804002152494"
},
"id": "ASB-A-200688826-e8bd7979",
"source": "https://android.googlesource.com/kernel/common/+/11db2de0af2a",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/android/binder.c",
"function": "binder_transaction"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"236834185967059883143811159878505321443",
"188335292228109839063458195614305346396",
"224932441292397737776181014305404926509"
]
},
"id": "ASB-A-200688826-e8f4242f",
"source": "https://android.googlesource.com/kernel/common/+/11db2de0af2a",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "include/linux/security.h"
},
"signature_type": "Line"
}
],
"fixes": [
"https://android.googlesource.com/kernel/common/+/d49297739550",
"https://android.googlesource.com/kernel/common/+/3af7a2f61023",
"https://android.googlesource.com/kernel/common/+/11db2de0af2a",
"https://android.googlesource.com/kernel/common/+/a4eacf3227bd"
],
"spl": "2022-03-05",
"severity": "High",
"types": [
"EoP"
]
}