CVE-2024-56555

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.11.0-07343-ga727812a8d45

Description The issue arises from a race condition in the binder add freeze work() function, where the iteration over proc->nodes can be disrupted by binder deferred release(), leading to an out-of-bounds access. This occurs because proc->nodes and binder dead nodes share entries in binder node through a union, specifically struct rb node rb node and struct hlist node dead node. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For Linux kernel versions prior to 6.11.0-07343-ga727812a8d45, fix the race by checking that the proc is still alive. If not, simply break out of the iteration. As a temporary workaround, consider adding a check to ensure the proc is alive before proceeding with the iteration in binder add freeze work().