We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2022-49939

binder: fix UAF of ref->proc caused by race condition



Description

In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of ref->proc caused by race condition A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled. The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spin_lock(&ref->proc->inner_lock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so. ================================================================== BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590 CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace.part.0+0x1d0/0x1e0 show_stack+0x18/0x70 dump_stack_lvl+0x68/0x84 print_report+0x2e4/0x61c kasan_report+0xa4/0x110 kasan_check_range+0xfc/0x1a4 __kasan_check_write+0x3c/0x50 _raw_spin_lock+0xa8/0x150 binder_deferred_func+0x5e0/0x9b0 process_one_work+0x38c/0x5f0 worker_thread+0x9c/0x694 kthread+0x188/0x190 ret_from_fork+0x10/0x20

Reserved 2025-05-01 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 229f47603dd306bc0eb1a831439adb8e48bb0eae
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 06e5b43ca4dab06a92bf4c2f33766e6fb11b880a
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 30d0901b307f27d36b2655fb3048cf31ee0e89c0
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 9629f2dfdb1dad294b468038ff8e161e94d0b609
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before c2a4b5dc8fa71af73bab704d0cac42ac39767ed6
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 603a47f2ae56bf68288784d3c0a8c5b8e0a827ed
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before a0e44c64b6061dda7e00b7c458e4523e2331b739
affected

Default status
affected

4.14.293
unaffected

4.19.258
unaffected

5.4.213
unaffected

5.10.142
unaffected

5.15.66
unaffected

5.19.8
unaffected

6.0
unaffected

References

git.kernel.org/...c/229f47603dd306bc0eb1a831439adb8e48bb0eae

git.kernel.org/...c/06e5b43ca4dab06a92bf4c2f33766e6fb11b880a

git.kernel.org/...c/30d0901b307f27d36b2655fb3048cf31ee0e89c0

git.kernel.org/...c/9629f2dfdb1dad294b468038ff8e161e94d0b609

git.kernel.org/...c/c2a4b5dc8fa71af73bab704d0cac42ac39767ed6

git.kernel.org/...c/603a47f2ae56bf68288784d3c0a8c5b8e0a827ed

git.kernel.org/...c/a0e44c64b6061dda7e00b7c458e4523e2331b739

cve.org (CVE-2022-49939)

nvd.nist.gov (CVE-2022-49939)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2022-49939

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.