Allele Security Alert
ASA-2019-00553
Identifier(s)
ASA-2019-00553, CVE-2019-2215
Title
Use-after-free in Binder driver
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 4.16
Linux kernel versions before 4.15.1
Linux kernel versions before 4.14.17
Linux kernel versions before 4.9.196
Linux kernel versions before 4.4.196
Fixed version(s)
Linux kernel version 4.16
Linux kernel version 4.15.1
Linux kernel version 4.14.17
Linux kernel version 4.9.196
Linux kernel version 4.4.196
Proof of concept
Yes
Description
There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c.
Technical details
binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.
Credits
Maddie Stone (Google Project Zero)
Reference(s)
Issue 1942: Android: Use-After-Free in Binder driver
https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
KASAN: use-after-free Read in __lock_acquire (2)
https://lore.kernel.org/lkml/001a1149750a83b8db055f5db0d2@google.com/
ANDROID: binder: remove waitqueue when thread exits.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/android/binder.c?h=linux-4.14.y&id=7a3cee43e935b9d526ad07f20bf005ba7e74d05b
609966:UPSTREAM: ANDROID: binder: remove waitqueue when thread exits.
https://android-review.googlesource.com/c/kernel/common/+/609966
573742:UPSTREAM: ANDROID: binder: remove waitqueue when thread exits.
https://android-review.googlesource.com/c/kernel/common/+/573742/
609868:UPSTREAM: ANDROID: binder: remove waitqueue when thread exits.
https://android-review.googlesource.com/c/kernel/common/+/609868/
ANDROID: binder: remove waitqueue when thread exits.
https://github.com/torvalds/linux/commit/f5cb779ba16334b45ba8946d6bfa6d9834d1527f
Android Security Bulletin—October 2019
https://source.android.com/security/bulletin/2019-10-01
Linux 4.14.17
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.17
Linux 4.15.1
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.15.1
Linux 4.4.196
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.196
Tailoring CVE-2019-2215 to Achieve Root
https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/
CVE-2019-2215
https://github.com/marcinguy/CVE-2019-2215/blob/master/README.md
CVE-2019-2215
https://security-tracker.debian.org/tracker/CVE-2019-2215
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2215.html
CVE-2019-2215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215
CVE-2019-2215
https://nvd.nist.gov/vuln/detail/CVE-2019-2215
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 2, 2019