CVE-2024-26926: Offset Alignment Check Added to binder_get_object() in Linux Kernel to Prevent Data Leakage

In the Linux kernel, a critical vulnerability, specifically related to the binder framework, has been addressed. The vulnerability could have potentially led to data leakage and other serious issues. This post will provide an in-depth look into the vulnerability, the provided patch, a code snippet highlighting the changes, and links to the original references for further exploration.

The vulnerability was found in the binder_get_object() function of the binder framework responsible for copying binder objects. The root cause of the issue was the removal of an offset alignment check. This happened as a result of changes made by Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying txn").

To understand the problem, let's dive a little deeper into how the function works. Previously, the call to binder_alloc_copy_from_buffer() and check_buffer() checked the offset alignment. However, the changes introduced in the commit mentioned above unintentionally removed the check by replacing the calls with copy_from_user() in binder_get_object(). This meant that an offset alignment check was no longer being performed, leading to potential issues when unwinding objects.

To resolve this vulnerability, an explicit offset alignment check has been added back into the binder_get_object() function. Ensuring the offset alignment check is present prevents complications when unwinding objects. It's important to note that the check existed before Commit 7a67a39320df ("binder: add function to copy binder object from buffer") but was likely removed due to redundancy at that time.

Here's a code snippet showcasing the changes made to reintroduce the offset alignment check

static struct binder_object *binder_get_object(struct binder_user *user,
					       void __user     *user_ptr)
{
...
  // New explicit offset alignment check is added here
  if (offset & 7)
    return ERR_PTR(-EINVAL);
...
}

For complete details on the changes made to address this vulnerability, you can refer to the patch available here. For further information on the original references, please follow these links:

1. Linux kernel source code
2. Commit 6d98eb95b450
3. Commit 7a67a39320df

In summary, the vulnerability CVE-2024-26926 has been addressed by reintroducing the offset alignment check previously removed. This check prevents potential data leakage and other issues when copying binder objects. As always, it is highly recommended to regularly update your Linux kernel to ensure the latest security patches and improvements are applied.

Timeline

Published on: 04/25/2024 06:15:57 UTC
Last modified on: 06/25/2024 23:15:27 UTC