published: Add another assigned CVE

Signed-off-by: Lee Jones <lee@kernel.org>

4 files changed, 156 insertions, 0 deletions

diff --git a/cve/reserved/2024/CVE-2024-26926 b/cve/published/2024/CVE-2024-26926
index e69de29b..e69de29b 100644
--- a/cve/reserved/2024/CVE-2024-26926
+++ b/cve/published/2024/CVE-2024-26926
diff --git a/cve/published/2024/CVE-2024-26926.json b/cve/published/2024/CVE-2024-26926.json
new file mode 100644
index 00000000..454a15de
--- /dev/null
+++ b/cve/published/2024/CVE-2024-26926.json
@@ -0,0 +1,73 @@
+{
+   "containers": {
+      "cna": {
+         "providerMetadata": {
+            "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
+         },
+         "descriptions": [
+            {
+               "lang": "en",
+               "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time."
+            }
+         ],
+         "affected": [
+            {
+               "product": "Linux",
+               "vendor": "Linux",
+               "defaultStatus": "unaffected",
+               "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
+               "versions": [
+                  {
+                     "version": "6d98eb95b450",
+                     "lessThan": "aaef73821a3b",
+                     "status": "affected",
+                     "versionType": "git"
+                  }
+               ]
+            },
+            {
+               "product": "Linux",
+               "vendor": "Linux",
+               "defaultStatus": "affected",
+               "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
+               "versions": [
+                  {
+                     "version": "5.17",
+                     "status": "affected"
+                  },
+                  {
+                     "version": "0",
+                     "lessThan": "5.17",
+                     "status": "unaffected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "6.9-rc5",
+                     "lessThanOrEqual": "*",
+                     "status": "unaffected",
+                     "versionType": "original_commit_for_fix"
+                  }
+               ]
+            }
+         ],
+         "references": [
+            {
+               "url": "https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40"
+            }
+         ],
+         "title": "binder: check offset alignment in binder_get_object()",
+         "x_generator": {
+            "engine": "bippy-d175d3acf727"
+         }
+      }
+   },
+   "cveMetadata": {
+      "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
+      "cveID": "CVE-2024-26926",
+      "requesterUserId": "lee@kernel.org",
+      "serial": "1",
+      "state": "PUBLISHED"
+   },
+   "dataType": "CVE_RECORD",
+   "dataVersion": "5.0"
+}
diff --git a/cve/published/2024/CVE-2024-26926.mbox b/cve/published/2024/CVE-2024-26926.mbox
new file mode 100644
index 00000000..d562699f
--- /dev/null
+++ b/cve/published/2024/CVE-2024-26926.mbox
@@ -0,0 +1,82 @@
+From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee@kernel.org>
+To: <linux-cve-announce@vger.kernel.org>
+Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
+Subject: CVE-2024-26926: binder: check offset alignment in binder_get_object()
+X-Developer-Signature: v=1; a=openpgp-sha256; l=2357; i=lee@kernel.org;
+ h=from:subject; bh=q2mC50rg5AobeEJaOW9bn841IYkK/xFSh0O3qbJm9eI=;
+ b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBmKZVNj6NGqtCs5b7OtOfEjkurEL5iUJajOPvRV
+ g7o122jjzqJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZimVTQAKCRBRr4ovh/x3
+ YVtGD/kBS1BotWvno1EHPFoJSBRi4vLO32uZSc/E1rIhFY0oZtcaHIwBsh/HfAsc0Ws4cde65Zp
+ 98zrSqsKKpSe1rTR7VGjDIyBq2ZkkS3Nhet1kgHUIQaS7EPRXlYLelubYwF2nIQEUjERZYZgr0r
+ kcRz9ZNbOPWZclrtp6KUVErQej5B+i7VBEAR2gDEOUsrUREQUxynYQ4o2Ou6ExacihVYCl74Owz
+ FUrWbqjUcGmTTEkHXRvpZUyQhZAkBc1oyA1j/ZwjCK/c/FvtrWMxJzzMyDozLwbCWQhGbPZRj2W
+ oWVuUI+zplpdRoJLuNfnPmDFOBQa0NoRV5MwozbVZf4Ulz3wOIPIk5nAVRMOsAzB7z/l82Jv7s/
+ uNLUI7yo7hsAWvnfyOWx8A8SfuMS0GY/HsH0GYeowRCVKcS/Y4vMzug9Cs+i+QASXFc8onvPkfU
+ cLEBYW1GP9W4RbI3ZIN5Uz3gYozZpf6//4zkAFppHYLNY1kR89wY+4c552n9akBarJ78tE9KZSL
+ sep+tO1Rgy0b2pIYyoEXaldw55ayVY9AFFgwDOP1XjoMEnPLw2jfBn4O+snUup4PSbPI1uVc9Ci
+ gwB1Ke5T1OrCvDnHMuV8zzNt6ts2G/8W7OPWc0ntchknP1QT0KigRCXzEQoUuNqRWB34cDRL5u5
+ i73i3ulNKrXvjsg==
+X-Developer-Key: i=lee@kernel.org; a=openpgp;
+ fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761
+
+Description
+===========
+
+In the Linux kernel, the following vulnerability has been resolved:
+
+binder: check offset alignment in binder_get_object()
+
+Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying
+txn") introduced changes to how binder objects are copied. In doing so,
+it unintentionally removed an offset alignment check done through calls
+to binder_alloc_copy_from_buffer() -> check_buffer().
+
+These calls were replaced in binder_get_object() with copy_from_user(),
+so now an explicit offset alignment check is needed here. This avoids
+later complications when unwinding the objects gets harder.
+
+It is worth noting this check existed prior to commit 7a67a39320df
+("binder: add function to copy binder object from buffer"), likely
+removed due to redundancy at the time.
+
+The Linux kernel CVE team has assigned CVE-2024-26926 to this issue.
+
+
+Affected and fixed versions
+===========================
+
+	Issue introduced in 5.17 with commit 6d98eb95b450 and fixed in 6.9-rc5 with commit aaef73821a3b
+	Issue introduced in 5.4.226 with commit c056a6ba35e0
+	Issue introduced in 5.10.157 with commit 23e9d815fad8
+	Issue introduced in 5.15.17 with commit 7a9ad4aceb02
+	Issue introduced in 5.16.3 with commit 66e12f5b3a97
+
+Please see https://www.kernel.org for a full list of currently supported
+kernel versions by the kernel community.
+
+Unaffected versions might change over time as fixes are backported to
+older supported kernel versions.  The official CVE entry at
+	https://cve.org/CVERecord/?id=CVE-2024-26926
+will be updated if fixes are backported, please check that for the most
+up to date information about this issue.
+
+
+Affected files
+==============
+
+The file(s) affected by this issue are:
+	drivers/android/binder.c
+
+
+Mitigation
+==========
+
+The Linux kernel CVE team recommends that you update to the latest
+stable kernel version for this, and many other bugfixes.  Individual
+changes are never tested alone, but rather are part of a larger kernel
+release.  Cherry-picking individual commits is not recommended or
+supported by the Linux kernel community at all.  If however, updating to
+the latest release is impossible, the individual changes to resolve this
+issue can be found at these commits:
+	https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40
diff --git a/cve/published/2024/CVE-2024-26926.sha1 b/cve/published/2024/CVE-2024-26926.sha1
new file mode 100644
index 00000000..84a92c5c
--- /dev/null
+++ b/cve/published/2024/CVE-2024-26926.sha1
@@ -0,0 +1 @@
+aaef73821a3b0194a01bd23ca77774f704a04d40