[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/android/binder/process.rs"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"eafedbc7c050c44744fbdf80bdf3315e860b7513","lessThan":"dd109e3442817bc03ad1f3ffd541092f8c428141","versionType":"git","status":"affected"},{"version":"eafedbc7c050c44744fbdf80bdf3315e860b7513","lessThan":"3be72099067d2cd4a0e089696f19780f75b2b88a","versionType":"git","status":"affected"},{"version":"eafedbc7c050c44744fbdf80bdf3315e860b7513","lessThan":"2e303f0febb65a434040774b793ba8356698802b","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/android/binder/process.rs"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.18","status":"affected"},{"version":"0","lessThan":"6.18","versionType":"semver","status":"unaffected"},{"version":"6.18.19","lessThanOrEqual":"6.18.*","versionType":"semver","status":"unaffected"},{"version":"6.19.9","lessThanOrEqual":"6.19.*","versionType":"semver","status":"unaffected"},{"version":"7.0","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-667

OR
          *cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.18.1 up to (excluding) 6.18.19
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 6.19.9

kernel.org: https://git.kernel.org/stable/c/2e303f0febb65a434040774b793ba8356698802b Types: Patch

kernel.org: https://git.kernel.org/stable/c/3be72099067d2cd4a0e089696f19780f75b2b88a Types: Patch

kernel.org: https://git.kernel.org/stable/c/dd109e3442817bc03ad1f3ffd541092f8c428141 Types: Patch

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: call set_notification_done() without proc lock

Consider the following sequence of events on a death listener:
1. The remote process dies and sends a BR_DEAD_BINDER message.
2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.
3. The local process then invokes the BC_DEAD_BINDER_DONE.
Then, the kernel will reply to the BC_DEAD_BINDER_DONE command with a
BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().

However, this can result in a deadlock if the current thread is not a
looper. This is because dead_binder_done() still holds the proc lock
during set_notification_done(), which called push_work_if_looper().
Normally, push_work_if_looper() takes the thread lock, which is fine to
take under the proc lock. But if the current thread is not a looper,
then it falls back to delivering the reply to the process work queue,
which involves taking the proc lock. Since the proc lock is already
held, this is a deadlock.

Fix this by releasing the proc lock during set_notification_done(). It
was not intentional that it was held during that function to begin with.

I don't think this ever happens in Android because BC_DEAD_BINDER_DONE
is only invoked in response to BR_DEAD_BINDER messages, and the kernel
always delivers BR_DEAD_BINDER to a looper. So there's no scenario where
Android userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.

https://git.kernel.org/stable/c/2e303f0febb65a434040774b793ba8356698802b

https://git.kernel.org/stable/c/3be72099067d2cd4a0e089696f19780f75b2b88a

https://git.kernel.org/stable/c/dd109e3442817bc03ad1f3ffd541092f8c428141