cve-2024-46740
Vulnerability from cvelistv5
Published
2024-09-18 07:12
Modified
2024-12-19 09:22
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
binder: fix UAF caused by offsets overwrite
Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.
Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):
==================================================================
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
Write of size 4 at addr ffff47fc91598f04 by task binder-util/743
CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
Hardware name: linux,dummy-virt (DT)
Call trace:
_raw_spin_lock+0xe4/0x19c
binder_free_buf+0x128/0x434
binder_thread_write+0x8a4/0x3260
binder_ioctl+0x18f0/0x258c
[...]
Allocated by task 743:
__kmalloc_cache_noprof+0x110/0x270
binder_new_node+0x50/0x700
binder_transaction+0x413c/0x6da8
binder_thread_write+0x978/0x3260
binder_ioctl+0x18f0/0x258c
[...]
Freed by task 745:
kfree+0xbc/0x208
binder_thread_read+0x1c5c/0x37d4
binder_ioctl+0x16d8/0x258c
[...]
==================================================================
To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c056a6ba35e00ae943e377eb09abd77a6915b31a Version: 23e9d815fad84c1bee3742a8de4bd39510435362 Version: 7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde Version: 6d98eb95b450a75adb4516a1d33652dc78d2b20c Version: 6d98eb95b450a75adb4516a1d33652dc78d2b20c Version: 6d98eb95b450a75adb4516a1d33652dc78d2b20c Version: 6d98eb95b450a75adb4516a1d33652dc78d2b20c |
||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-46740", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-11-21T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-22T04:55:14.634Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/android/binder.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5a32bfd23022ffa7e152f273fa3fa29befb7d929", status: "affected", version: "c056a6ba35e00ae943e377eb09abd77a6915b31a", versionType: "git", }, { lessThan: "3a8154bb4ab4a01390a3abf1e6afac296e037da4", status: "affected", version: "23e9d815fad84c1bee3742a8de4bd39510435362", versionType: "git", }, { lessThan: "eef79854a04feac5b861f94d7b19cbbe79874117", status: "affected", version: "7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde", versionType: "git", }, { lessThan: "4f79e0b80dc69bd5eaaed70f0df1b558728b4e59", status: "affected", version: "6d98eb95b450a75adb4516a1d33652dc78d2b20c", versionType: "git", }, { lessThan: "1f33d9f1d9ac3f0129f8508925000900c2fe5bb0", status: "affected", version: "6d98eb95b450a75adb4516a1d33652dc78d2b20c", versionType: "git", }, { lessThan: "109e845c1184c9f786d41516348ba3efd9112792", status: "affected", version: "6d98eb95b450a75adb4516a1d33652dc78d2b20c", versionType: "git", }, { lessThan: "4df153652cc46545722879415937582028c18af5", status: "affected", version: "6d98eb95b450a75adb4516a1d33652dc78d2b20c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/android/binder.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.284", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.226", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.167", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.110", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.51", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.10", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.11", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF caused by offsets overwrite\n\nBinder objects are processed and copied individually into the target\nbuffer during transactions. Any raw data in-between these objects is\ncopied as well. However, this raw data copy lacks an out-of-bounds\ncheck. If the raw data exceeds the data section size then the copy\noverwrites the offsets section. This eventually triggers an error that\nattempts to unwind the processed objects. However, at this point the\noffsets used to index these objects are now corrupted.\n\nUnwinding with corrupted offsets can result in decrements of arbitrary\nnodes and lead to their premature release. Other users of such nodes are\nleft with a dangling pointer triggering a use-after-free. This issue is\nmade evident by the following KASAN report (trimmed):\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c\n Write of size 4 at addr ffff47fc91598f04 by task binder-util/743\n\n CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n _raw_spin_lock+0xe4/0x19c\n binder_free_buf+0x128/0x434\n binder_thread_write+0x8a4/0x3260\n binder_ioctl+0x18f0/0x258c\n [...]\n\n Allocated by task 743:\n __kmalloc_cache_noprof+0x110/0x270\n binder_new_node+0x50/0x700\n binder_transaction+0x413c/0x6da8\n binder_thread_write+0x978/0x3260\n binder_ioctl+0x18f0/0x258c\n [...]\n\n Freed by task 745:\n kfree+0xbc/0x208\n binder_thread_read+0x1c5c/0x37d4\n binder_ioctl+0x16d8/0x258c\n [...]\n ==================================================================\n\nTo avoid this issue, let's check that the raw data copy is within the\nboundaries of the data section.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:22:10.998Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929", }, { url: "https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4", }, { url: "https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117", }, { url: "https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59", }, { url: "https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0", }, { url: "https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792", }, { url: "https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5", }, ], title: "binder: fix UAF caused by offsets overwrite", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-46740", datePublished: "2024-09-18T07:12:01.653Z", dateReserved: "2024-09-11T15:12:18.263Z", dateUpdated: "2024-12-19T09:22:10.998Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.4.226\", \"versionEndExcluding\": \"5.4.284\", \"matchCriteriaId\": \"F0B6E199-279F-4F92-B463-C5F87E230BCE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.10.157\", \"versionEndExcluding\": \"5.10.226\", \"matchCriteriaId\": \"D93C7D07-3360-4012-AFCB-4F16A83F0753\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.15.17\", \"versionEndExcluding\": \"5.15.167\", \"matchCriteriaId\": \"DC1E2D56-0897-4435-BC25-739B04462E13\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.17\", \"versionEndExcluding\": \"6.1.110\", \"matchCriteriaId\": \"BBF34251-254C-4A5B-A072-3C3A93781706\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.2\", \"versionEndExcluding\": \"6.6.51\", \"matchCriteriaId\": \"E4529134-BAC4-4776-840B-304009E181A0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.7\", \"versionEndExcluding\": \"6.10.10\", \"matchCriteriaId\": \"ACDEE48C-137A-4731-90D0-A675865E1BED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B3CE743-2126-47A3-8B7C-822B502CF119\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0005AEF-856E-47EB-BFE4-90C46899394D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"39889A68-6D34-47A6-82FC-CD0BF23D6754\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\", \"matchCriteriaId\": \"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*\", \"matchCriteriaId\": \"B77A9280-37E6-49AD-B559-5B23A3B1DC3D\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbinder: fix UAF caused by offsets overwrite\\n\\nBinder objects are processed and copied individually into the target\\nbuffer during transactions. Any raw data in-between these objects is\\ncopied as well. However, this raw data copy lacks an out-of-bounds\\ncheck. If the raw data exceeds the data section size then the copy\\noverwrites the offsets section. This eventually triggers an error that\\nattempts to unwind the processed objects. However, at this point the\\noffsets used to index these objects are now corrupted.\\n\\nUnwinding with corrupted offsets can result in decrements of arbitrary\\nnodes and lead to their premature release. Other users of such nodes are\\nleft with a dangling pointer triggering a use-after-free. This issue is\\nmade evident by the following KASAN report (trimmed):\\n\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c\\n Write of size 4 at addr ffff47fc91598f04 by task binder-util/743\\n\\n CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1\\n Hardware name: linux,dummy-virt (DT)\\n Call trace:\\n _raw_spin_lock+0xe4/0x19c\\n binder_free_buf+0x128/0x434\\n binder_thread_write+0x8a4/0x3260\\n binder_ioctl+0x18f0/0x258c\\n [...]\\n\\n Allocated by task 743:\\n __kmalloc_cache_noprof+0x110/0x270\\n binder_new_node+0x50/0x700\\n binder_transaction+0x413c/0x6da8\\n binder_thread_write+0x978/0x3260\\n binder_ioctl+0x18f0/0x258c\\n [...]\\n\\n Freed by task 745:\\n kfree+0xbc/0x208\\n binder_thread_read+0x1c5c/0x37d4\\n binder_ioctl+0x16d8/0x258c\\n [...]\\n ==================================================================\\n\\nTo avoid this issue, let's check that the raw data copy is within the\\nboundaries of the data section.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: binder: fix UAF caused by offsets overwrite Los objetos Binder se procesan y copian individualmente en el b\\u00fafer de destino durante las transacciones. Tambi\\u00e9n se copian todos los datos sin procesar entre estos objetos. Sin embargo, esta copia de datos sin procesar carece de una comprobaci\\u00f3n de fuera de los l\\u00edmites. Si los datos sin procesar superan el tama\\u00f1o de la secci\\u00f3n de datos, la copia sobrescribe la secci\\u00f3n de compensaciones. Esto finalmente desencadena un error que intenta desenrollar los objetos procesados. Sin embargo, en este punto, las compensaciones utilizadas para indexar estos objetos ahora est\\u00e1n da\\u00f1adas. El desenrollado con compensaciones da\\u00f1adas puede resultar en disminuciones de nodos arbitrarios y conducir a su liberaci\\u00f3n prematura. Otros usuarios de dichos nodos se quedan con un puntero colgante que activa un use after free. Este problema se hace evidente en el siguiente informe de KASAN (recortado): ===================================================================== ERROR: KASAN: slab-use-after-free en _raw_spin_lock+0xe4/0x19c Escritura de tama\\u00f1o 4 en la direcci\\u00f3n ffff47fc91598f04 por la tarea binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util No contaminado 6.11.0-rc4 #1 Nombre del hardware: linux,dummy-virt (DT) Rastreo de llamadas: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Asignado por la tarea 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Liberado por la tarea 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ======================================================================= Para evitar este problema, verifiquemos que la copia de datos sin procesar est\\u00e9 dentro de los l\\u00edmites de la secci\\u00f3n de datos.\"}]", id: "CVE-2024-46740", lastModified: "2024-09-20T18:34:08.163", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}", published: "2024-09-18T08:15:03.377", references: "[{\"url\": \"https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]", sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", vulnStatus: "Analyzed", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2024-46740\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-18T08:15:03.377\",\"lastModified\":\"2024-09-20T18:34:08.163\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbinder: fix UAF caused by offsets overwrite\\n\\nBinder objects are processed and copied individually into the target\\nbuffer during transactions. Any raw data in-between these objects is\\ncopied as well. However, this raw data copy lacks an out-of-bounds\\ncheck. If the raw data exceeds the data section size then the copy\\noverwrites the offsets section. This eventually triggers an error that\\nattempts to unwind the processed objects. However, at this point the\\noffsets used to index these objects are now corrupted.\\n\\nUnwinding with corrupted offsets can result in decrements of arbitrary\\nnodes and lead to their premature release. Other users of such nodes are\\nleft with a dangling pointer triggering a use-after-free. This issue is\\nmade evident by the following KASAN report (trimmed):\\n\\n ==================================================================\\n BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c\\n Write of size 4 at addr ffff47fc91598f04 by task binder-util/743\\n\\n CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1\\n Hardware name: linux,dummy-virt (DT)\\n Call trace:\\n _raw_spin_lock+0xe4/0x19c\\n binder_free_buf+0x128/0x434\\n binder_thread_write+0x8a4/0x3260\\n binder_ioctl+0x18f0/0x258c\\n [...]\\n\\n Allocated by task 743:\\n __kmalloc_cache_noprof+0x110/0x270\\n binder_new_node+0x50/0x700\\n binder_transaction+0x413c/0x6da8\\n binder_thread_write+0x978/0x3260\\n binder_ioctl+0x18f0/0x258c\\n [...]\\n\\n Freed by task 745:\\n kfree+0xbc/0x208\\n binder_thread_read+0x1c5c/0x37d4\\n binder_ioctl+0x16d8/0x258c\\n [...]\\n ==================================================================\\n\\nTo avoid this issue, let's check that the raw data copy is within the\\nboundaries of the data section.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: binder: fix UAF caused by offsets overwrite Los objetos Binder se procesan y copian individualmente en el búfer de destino durante las transacciones. También se copian todos los datos sin procesar entre estos objetos. Sin embargo, esta copia de datos sin procesar carece de una comprobación de fuera de los límites. Si los datos sin procesar superan el tamaño de la sección de datos, la copia sobrescribe la sección de compensaciones. Esto finalmente desencadena un error que intenta desenrollar los objetos procesados. Sin embargo, en este punto, las compensaciones utilizadas para indexar estos objetos ahora están dañadas. El desenrollado con compensaciones dañadas puede resultar en disminuciones de nodos arbitrarios y conducir a su liberación prematura. Otros usuarios de dichos nodos se quedan con un puntero colgante que activa un use after free. Este problema se hace evidente en el siguiente informe de KASAN (recortado): ===================================================================== ERROR: KASAN: slab-use-after-free en _raw_spin_lock+0xe4/0x19c Escritura de tamaño 4 en la dirección ffff47fc91598f04 por la tarea binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util No contaminado 6.11.0-rc4 #1 Nombre del hardware: linux,dummy-virt (DT) Rastreo de llamadas: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Asignado por la tarea 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Liberado por la tarea 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ======================================================================= Para evitar este problema, verifiquemos que la copia de datos sin procesar esté dentro de los límites de la sección de datos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.226\",\"versionEndExcluding\":\"5.4.284\",\"matchCriteriaId\":\"F0B6E199-279F-4F92-B463-C5F87E230BCE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.157\",\"versionEndExcluding\":\"5.10.226\",\"matchCriteriaId\":\"D93C7D07-3360-4012-AFCB-4F16A83F0753\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.17\",\"versionEndExcluding\":\"5.15.167\",\"matchCriteriaId\":\"DC1E2D56-0897-4435-BC25-739B04462E13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.17\",\"versionEndExcluding\":\"6.1.110\",\"matchCriteriaId\":\"BBF34251-254C-4A5B-A072-3C3A93781706\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.51\",\"matchCriteriaId\":\"E4529134-BAC4-4776-840B-304009E181A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.10\",\"matchCriteriaId\":\"ACDEE48C-137A-4731-90D0-A675865E1BED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B77A9280-37E6-49AD-B559-5B23A3B1DC3D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}", }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.