CVE-2024-46740 in Linuxinfo

Summary

by MITRE • 09/18/2024

In the Linux kernel, the following vulnerability has been resolved:

binder: fix UAF caused by offsets overwrite

Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted.

Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed):

================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743

CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...]

Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...]

Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...]
==================================================================

To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/05/2026

The vulnerability identified as CVE-2024-46740 resides within the Linux kernel's binder driver, which facilitates inter-process communication between Android applications and system services. This flaw manifests as a use-after-free condition stemming from improper bounds checking during the processing of raw data within binder transactions. The binder subsystem operates by copying objects and associated raw data into target buffers, where the copying mechanism fails to validate that raw data remains within the designated data section boundaries. When raw data exceeds the allocated data section size, it overwrites the offsets section that tracks object locations, leading to a cascade of memory corruption issues during error unwinding.

The technical implementation of this vulnerability follows a specific sequence that begins with the creation of binder objects and their associated raw data during transaction processing. During this phase, the kernel copies individual objects along with any intervening raw data into the target buffer without performing adequate bounds verification. When the raw data copy exceeds the data section limits, it begins overwriting the offsets section that contains crucial indexing information for object management. This corruption becomes particularly problematic when the system attempts to unwind processed objects during error handling, as the corrupted offsets cause arbitrary node decrements and premature release of memory objects.

The operational impact of this vulnerability extends beyond simple memory corruption, presenting significant security implications through potential privilege escalation and system instability. The use-after-free condition leaves dangling pointers that can be exploited by malicious processes to gain unauthorized access to system resources or manipulate kernel memory structures. The KASAN report demonstrates how the corruption manifests through a slab-use-after-free error during a spin lock operation, indicating that the freed memory has been reused for subsequent operations. This particular vulnerability aligns with CWE-416, which describes use-after-free conditions, and represents a critical weakness in memory management that can be leveraged for arbitrary code execution within kernel space.

Mitigation strategies for CVE-2024-46740 require implementing proper bounds checking during the raw data copy operations within the binder driver. The fix involves adding validation to ensure that raw data copies remain within the boundaries of the data section, preventing the overwrite of the offsets section that governs object indexing. This approach directly addresses the root cause by establishing proper input validation before memory operations occur. The solution aligns with ATT&CK technique T1068, which involves exploiting local privileges to escalate access, by preventing the memory corruption that enables such exploitation. System administrators should prioritize applying kernel updates that contain this fix, as the vulnerability affects the core kernel memory management subsystem and can be exploited to compromise system integrity. The mitigation approach follows standard security practices for preventing buffer overflows and memory corruption vulnerabilities, emphasizing the importance of bounds checking in kernel space operations.

Responsible

Linux

Reservation

09/11/2024

Disclosure

09/18/2024

Moderation

accepted

CPE

ready

EPSS

0.00289

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!