CVE-2024-56554
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-56554
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56554.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-56554
- Downstream
- Published
- 2024-12-27T15:15:14Z
- Modified
- 2025-08-09T20:01:27Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
binder: fix freeze UAF in binderreleasework()
When a binder reference is cleaned up, any freeze work queued in the associated process should also be removed. Otherwise, the reference is freed while its ref->freeze.work is still queued in proc->work leading to a use-after-free issue as shown by the following KASAN report:
================================================================== BUG: KASAN: slab-use-after-free in binderreleasework+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211
CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binderdeferredfunc Call trace: binderreleasework+0x398/0x3d0 binderdeferredfunc+0xb60/0x109c processonework+0x51c/0xbd4 worker_thread+0x608/0xee8
Allocated by task 703: _kmalloccachenoprof+0x130/0x280 binderthreadwrite+0xdb4/0x42a0 binderioctl+0x18f0/0x25ac _arm64sysioctl+0x124/0x190 invokesyscall+0x6c/0x254
Freed by task 211: kfree+0xc4/0x230 binderdeferredfunc+0xae8/0x109c processonework+0x51c/0xbd4 worker_thread+0x608/0xee8 ==================================================================
This commit fixes the issue by ensuring any queued freeze work is removed when cleaning up a binder reference.
- References