Therefore, this bug is subject to a 7 day disclosure deadline. *We have evidence that this bug is being used in the wild. Other devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated):ġ) Pixel 2 with Android 9 and Android 10 preview ()Ĩ) Oreo LG phones (run same kernel according to website) This issue was patched in Dec 2017 in the 4.14 LTS kernel, AOSP android 3.18 kernel, AOSP android 4.4 kernel, and AOSP android 4.9 kernel, but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review. Struct epoll_event event = Įpoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event) The following proof-of-concept will show the UAF crash in a kernel build with KASAN (from initial upstream bugreport at /): The process subsequently exits, the epoll cleanupĬode tries to access the waitlist, which results in The waitqueue is freed, but it is never removedįrom the corresponding epoll data structure. When a thread that usesĮpoll explicitly exits using BINDER_THREAD_EXIT, “binder_poll() passes the thread->wait waitqueue thatĬan be slept on for work. There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c. The following issue exists in the android-msm-wahoo-4.4-pie branch of (and possibly others):
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |