Carlos Llamas

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.11.0-07343-ga727812a8d45 **Description** The issue arises from a race condition in the `binder add freeze work()` function, where the iteration over `proc->nodes` can be disrupted by `binder deferred release()`, leading to an out-of-bounds access. This occurs because `proc->nodes` and `binder dead nodes` share entries in `binder node` through a union, specifically `struct rb node rb node` and `struct hlist node dead node`. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Linux kernel versions prior to 6.11.0-07343-ga727812a8d45, fix the race by checking that the proc is still alive. If not, simply break out of the iteration. As a temporary workaround, consider adding a check to ensure the proc is alive before proceeding with the iteration in `binder add freeze work()`.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's binder functionality. During transactions, binder objects are processed and copied into a target buffer. However, the copy operation lacks an out-of-bounds check, allowing raw data to overwrite the offsets section if it exceeds the data section size. This corruption triggers an error that attempts to unwind the processed objects, but with corrupted offsets, leading to premature release of arbitrary nodes and a dangling pointer, resulting in a use-after-free condition. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.52 or later. As a temporary workaround, consider restricting access to the binder functionality until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the binder component in the Linux kernel, where a vulnerability has been resolved by checking offset alignment in the `binder get object()` function. This check was unintentionally removed due to changes in how binder objects are copied, specifically with the introduction of commit 6d98eb95b450. The removal of the offset alignment check could lead to complications when unwinding objects. The vulnerability is related to a use-after-free issue in `binder alloc copy to buffer` of binder.c, which could result in arbitrary code execution and local escalation of privilege in the kernel. The exploitation of this vulnerability does not require additional execution privileges or user interaction. It involves crafting a malicious binder object with misaligned offsets and sending it through IPC, allowing the object to bypass alignment validation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.0-rc5 **Description** The issue is related to a use-after-free vulnerability in the binder driver's shrinker callback. The mmap read lock is used during the shrinker's callback, which can lead to a race condition with munmap(). This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability was confirmed by a KASAN report, which showed a slab-use-after-free in zap page range single. **Recommendations** To resolve this issue, perform a vma lookup() instead, which will fail to find the vma that was isolated before the mmap lock downgrade. This option has better performance than upgrading to a mmap write lock, which would increase contention. Additionally, mmap write trylock() has been recently removed. Note: The provided information does not specify the exact version that contains the fix for this vulnerability. Therefore, it is recommended to update to the latest version of the Linux kernel to ensure you have the latest security patches.