diff options
author | Lee Jones <lee@kernel.org> | 2024-04-24 16:28:27 -0700 |
---|---|---|
committer | Lee Jones <lee@kernel.org> | 2024-04-24 16:33:16 -0700 |
commit | f01eb0b679430a36470454f333c1b9f137178ad2 (patch) | |
tree | 39c158c72a09884d08a54b7721e870f6520b544f | |
parent | 88c6b9640532026989393a29ef647cc3d6bc1eb9 (diff) | |
download | vulns-f01eb0b679430a36470454f333c1b9f137178ad2.tar.gz |
published: Add another assigned CVE
Signed-off-by: Lee Jones <lee@kernel.org>
-rw-r--r-- | cve/published/2024/CVE-2024-26926 (renamed from cve/reserved/2024/CVE-2024-26926) | 0 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26926.json | 73 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26926.mbox | 82 | ||||
-rw-r--r-- | cve/published/2024/CVE-2024-26926.sha1 | 1 |
4 files changed, 156 insertions, 0 deletions
diff --git a/cve/reserved/2024/CVE-2024-26926 b/cve/published/2024/CVE-2024-26926 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26926 +++ b/cve/published/2024/CVE-2024-26926 diff --git a/cve/published/2024/CVE-2024-26926.json b/cve/published/2024/CVE-2024-26926.json new file mode 100644 index 00000000..454a15de --- /dev/null +++ b/cve/published/2024/CVE-2024-26926.json @@ -0,0 +1,73 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6d98eb95b450", + "lessThan": "aaef73821a3b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.17", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.17", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40" + } + ], + "title": "binder: check offset alignment in binder_get_object()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26926", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26926.mbox b/cve/published/2024/CVE-2024-26926.mbox new file mode 100644 index 00000000..d562699f --- /dev/null +++ b/cve/published/2024/CVE-2024-26926.mbox @@ -0,0 +1,82 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26926: binder: check offset alignment in binder_get_object() +X-Developer-Signature: v=1; a=openpgp-sha256; l=2357; i=lee@kernel.org; + h=from:subject; bh=q2mC50rg5AobeEJaOW9bn841IYkK/xFSh0O3qbJm9eI=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBmKZVNj6NGqtCs5b7OtOfEjkurEL5iUJajOPvRV + g7o122jjzqJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZimVTQAKCRBRr4ovh/x3 + YVtGD/kBS1BotWvno1EHPFoJSBRi4vLO32uZSc/E1rIhFY0oZtcaHIwBsh/HfAsc0Ws4cde65Zp + 98zrSqsKKpSe1rTR7VGjDIyBq2ZkkS3Nhet1kgHUIQaS7EPRXlYLelubYwF2nIQEUjERZYZgr0r + kcRz9ZNbOPWZclrtp6KUVErQej5B+i7VBEAR2gDEOUsrUREQUxynYQ4o2Ou6ExacihVYCl74Owz + FUrWbqjUcGmTTEkHXRvpZUyQhZAkBc1oyA1j/ZwjCK/c/FvtrWMxJzzMyDozLwbCWQhGbPZRj2W + oWVuUI+zplpdRoJLuNfnPmDFOBQa0NoRV5MwozbVZf4Ulz3wOIPIk5nAVRMOsAzB7z/l82Jv7s/ + uNLUI7yo7hsAWvnfyOWx8A8SfuMS0GY/HsH0GYeowRCVKcS/Y4vMzug9Cs+i+QASXFc8onvPkfU + cLEBYW1GP9W4RbI3ZIN5Uz3gYozZpf6//4zkAFppHYLNY1kR89wY+4c552n9akBarJ78tE9KZSL + sep+tO1Rgy0b2pIYyoEXaldw55ayVY9AFFgwDOP1XjoMEnPLw2jfBn4O+snUup4PSbPI1uVc9Ci + gwB1Ke5T1OrCvDnHMuV8zzNt6ts2G/8W7OPWc0ntchknP1QT0KigRCXzEQoUuNqRWB34cDRL5u5 + i73i3ulNKrXvjsg== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +binder: check offset alignment in binder_get_object() + +Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying +txn") introduced changes to how binder objects are copied. In doing so, +it unintentionally removed an offset alignment check done through calls +to binder_alloc_copy_from_buffer() -> check_buffer(). + +These calls were replaced in binder_get_object() with copy_from_user(), +so now an explicit offset alignment check is needed here. This avoids +later complications when unwinding the objects gets harder. + +It is worth noting this check existed prior to commit 7a67a39320df +("binder: add function to copy binder object from buffer"), likely +removed due to redundancy at the time. + +The Linux kernel CVE team has assigned CVE-2024-26926 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.17 with commit 6d98eb95b450 and fixed in 6.9-rc5 with commit aaef73821a3b + Issue introduced in 5.4.226 with commit c056a6ba35e0 + Issue introduced in 5.10.157 with commit 23e9d815fad8 + Issue introduced in 5.15.17 with commit 7a9ad4aceb02 + Issue introduced in 5.16.3 with commit 66e12f5b3a97 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26926 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/android/binder.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40 diff --git a/cve/published/2024/CVE-2024-26926.sha1 b/cve/published/2024/CVE-2024-26926.sha1 new file mode 100644 index 00000000..84a92c5c --- /dev/null +++ b/cve/published/2024/CVE-2024-26926.sha1 @@ -0,0 +1 @@ +aaef73821a3b0194a01bd23ca77774f704a04d40 |