PUB-A-190011721

See a problem?
Import Source
https://storage.googleapis.com/android-osv-test/PUB-A-190011721.json
JSON Data
https://api.osv.dev/v1/vulns/PUB-A-190011721
Aliases
Published
2021-12-01T00:00:00Z
Modified
2024-10-23T16:43:06.926828Z
Summary
[none]
Details

In retrieveptrlimit and related functions of verifier.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / :linux_kernel:

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
:0
Fixed
:2021-12-05

Affected versions

Other

Kernel

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 4765.0,
                "function_hash": "280925786661479790060625219488333451145"
            },
            "id": "PUB-A-190011721-06da4639",
            "source": "https://android.googlesource.com/kernel/common/+/4e2c7b297431",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/bpf/verifier.c",
                "function": "adjust_ptr_min_max_vals"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "262039529909060196131840256906024236091",
                    "270188737281727892283613521542930633652",
                    "202666486935702327703733695467908503678",
                    "206109830977063295313481655814501734546",
                    "292486978687385929434937330953248332427",
                    "328639218135929486931504967438055463412",
                    "62868870917074497638268689937442447168",
                    "320310744290047615038558848755583454387",
                    "261457560931777040427055367791851611644",
                    "68582937390981047386786096394346336561",
                    "262129148996771020818048131033824065966",
                    "112351779731652824777136638711725917188",
                    "190261737873874972819381169079371674881",
                    "303706700695040886962027604386566828839",
                    "10389472930954564919343417650301357378",
                    "3865584324248217866683036343101457061",
                    "58441117975608874748647369726117887541",
                    "79415134364014076933211547464204217671",
                    "317311942449228392442899622207029611134",
                    "135760675079791313916564915763451899558",
                    "32902188230975282252255827147040916814",
                    "204870489292401244044936037152747646290",
                    "25504007323729439322956106711636630733",
                    "172381262836319009699659302504928370105",
                    "136782001053866556956108588732434675271",
                    "10245136483796299734482042581954248075",
                    "322126300342519691672201230491836247048",
                    "108686124283852224623903031889849749709",
                    "202818059168461138909902828253571242458"
                ]
            },
            "id": "PUB-A-190011721-0f162e85",
            "source": "https://android.googlesource.com/kernel/common/+/4e2c7b297431",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/bpf/verifier.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1148.0,
                "function_hash": "246957723678091566589130391708730684184"
            },
            "id": "PUB-A-190011721-23b47069",
            "source": "https://android.googlesource.com/kernel/common/+/c87ef240a8bb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/bpf/verifier.c",
                "function": "sanitize_ptr_alu"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 747.0,
                "function_hash": "6241484433920322589546792130090738769"
            },
            "id": "PUB-A-190011721-81499f5a",
            "source": "https://android.googlesource.com/kernel/common/+/c87ef240a8bb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/bpf/verifier.c",
                "function": "retrieve_ptr_limit"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "47427510771680019310194127933122136096",
                    "319713665651579424303318085355357056722",
                    "240756402307389634250126952816184534541",
                    "207370627333112601712375871791117294648"
                ]
            },
            "id": "PUB-A-190011721-951b2ab4",
            "source": "https://android.googlesource.com/kernel/common/+/27acfd11ba17",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/bpf/verifier.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1127.0,
                "function_hash": "187212921763892443154419825529662340918"
            },
            "id": "PUB-A-190011721-97ef0e8e",
            "source": "https://android.googlesource.com/kernel/common/+/4e2c7b297431",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/bpf/verifier.c",
                "function": "sanitize_ptr_alu"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1384.0,
                "function_hash": "190812588988046212309368991988796455796"
            },
            "id": "PUB-A-190011721-a841515f",
            "source": "https://android.googlesource.com/kernel/common/+/27acfd11ba17",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/bpf/verifier.c",
                "function": "sanitize_ptr_alu"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "3973112015353895427797486632497507088",
                    "109492799880415627359173180119756358953",
                    "151263697241877261312355100598146786640",
                    "227558448847777301654952269804132204619",
                    "48422950799149764877750188752617729560",
                    "322566115669594912920201594012322327461",
                    "39918092637745787937094710157800133725",
                    "27974248861366183145253296694337357657",
                    "278672871784064751746473846623304960395",
                    "10984009763167534490828174999891896918",
                    "36147004044395911372441237840665215257",
                    "273077193668393981112346615424261606026",
                    "89522239158795419087619746193143309496",
                    "57296124109740312822760439108636120772",
                    "39464320438896685214166384935106519725",
                    "271371438596389649210494411959216830846",
                    "160026756588115414011880114991878292752",
                    "4154023463872514507109786054285824972",
                    "84049923922650422497478016294474054196",
                    "225208778956210412871068268981562215833",
                    "288492177735258700518958040474273244828"
                ]
            },
            "id": "PUB-A-190011721-ae02bd93",
            "source": "https://android.googlesource.com/kernel/common/+/c87ef240a8bb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "kernel/bpf/verifier.c"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/kernel/common/+/4e2c7b297431",
        "https://android.googlesource.com/kernel/common/+/c87ef240a8bb",
        "https://android.googlesource.com/kernel/common/+/27acfd11ba17"
    ],
    "spl": "2021-12-05",
    "severity": "Moderate",
    "types": [
        "EoP"
    ]
}