PUB-A-191191823

See a problem?
Import Source
https://storage.googleapis.com/android-osv-test/PUB-A-191191823.json
JSON Data
https://api.osv.dev/v1/vulns/PUB-A-191191823
Aliases
Published
2021-10-01T00:00:00Z
Modified
2024-10-23T16:43:06.926828Z
Summary
[none]
Details

In xfrmstatefini and related functions of xfrm_state.c and related files, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / :linux_kernel:

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
:0
Fixed
:2021-10-05

Affected versions

Other

Kernel

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "243161038827417096249117573138058777384",
                    "2533267672426962681489286755455487889",
                    "332694360237361977395182802341411362187"
                ]
            },
            "id": "PUB-A-191191823-19b36eff",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "include/net/xfrm.h"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 408.0,
                "function_hash": "6852462641908386585231461938522555527"
            },
            "id": "PUB-A-191191823-a4aa4dff",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "net/ipv6/xfrm6_tunnel.c",
                "function": "xfrm6_tunnel_net_exit"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "229523491602531160254065325555422879319",
                    "197281378742686019844393500848894072709",
                    "228849362016189875298579074914545463885",
                    "123416886296457462454909832722580561112",
                    "109660003496568191125696794790970104126",
                    "138362605100217816335591702430092581019",
                    "283486307793756631151039538623233244132",
                    "168437063971864032226983419579197506024",
                    "109903552203742180102891192853726083337",
                    "218783971530653667576326592185539146816",
                    "61905635418335728281139742996708078973",
                    "64956988977403150703103618655309563032",
                    "10159363312468416494411373139083858061",
                    "230854622574928264560172461107740349273",
                    "242175030523505564915220495847088454605",
                    "267868390585593816517915983992887850017"
                ]
            },
            "id": "PUB-A-191191823-bbefcf37",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "net/xfrm/xfrm_user.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 919.0,
                "function_hash": "258793581796817467857631674352932460528"
            },
            "id": "PUB-A-191191823-bfb85366",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "net/xfrm/xfrm_user.c",
                "function": "validate_tmpl"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 638.0,
                "function_hash": "159688494881237414820018288092704824487"
            },
            "id": "PUB-A-191191823-c7e2f3e7",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "net/xfrm/xfrm_state.c",
                "function": "xfrm_state_fini"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "334119904790110196879810912817670783742",
                    "307855993762072398891459568333205928644",
                    "210678993606077500116061939022504978348",
                    "329715576545611587226342160905857423912"
                ]
            },
            "id": "PUB-A-191191823-daa424a1",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "net/ipv6/xfrm6_tunnel.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "139829487342025565876134762685900894426",
                    "208878218324934034428961596748072993814",
                    "214525917770506738197174906734251663048",
                    "178983729390585286081504476329595606588",
                    "52889798868292353760802554894756158332"
                ]
            },
            "id": "PUB-A-191191823-e3dda7a6",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "net/key/af_key.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1141.0,
                "function_hash": "322891837955063607216551630497528273955"
            },
            "id": "PUB-A-191191823-f6cce137",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "net/key/af_key.c",
                "function": "parse_ipsecrequest"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "290396018789963347844672641138512346602",
                    "274682750171497662749304830912080441716",
                    "162785980661114099367108606951023614806",
                    "318860455114264030518797770141199847702"
                ]
            },
            "id": "PUB-A-191191823-fd212021",
            "source": "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "net/xfrm/xfrm_state.c"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/kernel/common/+/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399"
    ],
    "spl": "2021-10-05",
    "severity": "Moderate",
    "types": [
        "EoP"
    ]
}