ASA-2019-00553 – Linux kernel: Use-after-free in Binder driver


Allele Security Alert

ASA-2019-00553

Identifier(s)

ASA-2019-00553, CVE-2019-2215

Title

Use-after-free in Binder driver

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 4.16

Linux kernel versions before 4.15.1
Linux kernel versions before 4.14.17
Linux kernel versions before 4.9.196
Linux kernel versions before 4.4.196

Fixed version(s)

Linux kernel version 4.16

Linux kernel version 4.15.1
Linux kernel version 4.14.17
Linux kernel version 4.9.196
Linux kernel version 4.4.196

Proof of concept

Yes

Description

There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c.

Technical details

binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.

Credits

syzkaller
Maddie Stone (Google Project Zero)

Reference(s)

Issue 1942: Android: Use-After-Free in Binder driver
https://bugs.chromium.org/p/project-zero/issues/detail?id=1942

Tailoring CVE-2019-2215 to Achieve Root
https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/

CVE-2019-2215
https://github.com/marcinguy/CVE-2019-2215/blob/master/README.md

binder epoll bug (was KASAN: use-after-free Read in __lock_acquire (2))
https://lore.kernel.org/lkml/20171213000517.GB62138@gmail.com/

ANDROID: binder: remove waitqueue when thread exits.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/android/binder.c?h=linux-4.14.y&id=7a3cee43e935b9d526ad07f20bf005ba7e74d05b

609966:UPSTREAM: ANDROID: binder: remove waitqueue when thread exits.
https://android-review.googlesource.com/c/kernel/common/+/609966

573742:UPSTREAM: ANDROID: binder: remove waitqueue when thread exits.
https://android-review.googlesource.com/c/kernel/common/+/573742/

609868:UPSTREAM: ANDROID: binder: remove waitqueue when thread exits.
https://android-review.googlesource.com/c/kernel/common/+/609868/

ANDROID: binder: remove waitqueue when thread exits.
https://github.com/torvalds/linux/commit/f5cb779ba16334b45ba8946d6bfa6d9834d1527f

Android Security Bulletin—October 2019
https://source.android.com/security/bulletin/2019-10-01

Linux kernel 4.14.17
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.17

Linux kernel 4.15.1
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.1

Linux kernel 4.4.196
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.196

CVE-2019-2215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215

CVE-2019-2215
https://nvd.nist.gov/vuln/detail/CVE-2019-2215

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 17, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.