漏洞标题
绑定器:修复异步_free_space 会计,处理空包裹。
漏洞描述信息
在Linux内核中,已经修复了以下漏洞:
binder: 解决async_free_space的会计问题,为空包裹考虑 sizeof(void *) 的大小。
在4.13版本中,commit 74310e06be4d ("android: binder: 将缓冲区移出与用户空间共享的区域")修复了一个内核结构可见性的问题。在这个补丁的一部分中,
sizeof(void *) 被用作8字节或更小的数据负载的异步事务中的缓冲区大小,以便驱动程序可以检测到恶意客户端发送0长度的异步事务给服务器。
不幸的是,在"免费"一侧,async_free_space的会计并没有将 sizeof(void *) 加回来。结果是,每次发生8字节或更小的数据负载的异步事务时,async_free_space最多会泄漏8个字节的空间。这些小型事务并不常见,所以这个会计问题多年来一直未被察觉。
修复的方法是在释放操作中更新async_free_space时,使用"buffer_size"(已分配缓冲区大小)而不是"size"(逻辑缓冲区大小)。除了这个异步交易负载小于8字节的特殊情况外,两者是相同的。
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
漏洞类别
不加限制或调节的资源分配
漏洞标题
binder: fix async_free_space accounting for empty parcels
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
binder: fix async_free_space accounting for empty parcels
In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")
fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.
Unfortunately, on the "free" side, the accounting of async_free_space
did not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or
less. These small transactions are uncommon, so this accounting issue
has gone undetected for several years.
The fix is to use "buffer_size" (the allocated buffer size) instead of
"size" (the logical buffer size) when updating the async_free_space
during the free operation. These are the same except for this
corner case of asynchronous transactions with payloads < 8 bytes.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于存在内核结构可见性问题。
CVSS信息
N/A
漏洞类别
其他