{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54157","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T13:02:52.530Z","datePublished":"2025-12-24T13:07:06.764Z","dateUpdated":"2026-05-11T19:56:35.464Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:56:35.464Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF of alloc->vma in race with munmap()\n\n[ cmllamas: clean forward port from commit 015ac18be7de (\"binder: fix\n  UAF of alloc->vma in race with munmap()\") in 5.10 stable. It is needed\n  in mainline after the revert of commit a43cfc87caaf (\"android: binder:\n  stop saving a pointer to the VMA\") as pointed out by Liam. The commit\n  log and tags have been tweaked to reflect this. ]\n\nIn commit 720c24192404 (\"ANDROID: binder: change down_write to\ndown_read\") binder assumed the mmap read lock is sufficient to protect\nalloc->vma inside binder_update_page_range(). This used to be accurate\nuntil commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\"), which now downgrades the mmap_lock after detaching the vma\nfrom the rbtree in munmap(). Then it proceeds to teardown and free the\nvma with only the read lock held.\n\nThis means that accesses to alloc->vma in binder_update_page_range() now\nwill race with vm_area_free() in munmap() and can cause a UAF as shown\nin the following KASAN trace:\n\n  ==================================================================\n  BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0\n  Read of size 8 at addr ffff16204ad00600 by task server/558\n\n  CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   dump_backtrace+0x0/0x2a0\n   show_stack+0x18/0x2c\n   dump_stack+0xf8/0x164\n   print_address_description.constprop.0+0x9c/0x538\n   kasan_report+0x120/0x200\n   __asan_load8+0xa0/0xc4\n   vm_insert_page+0x7c/0x1f0\n   binder_update_page_range+0x278/0x50c\n   binder_alloc_new_buf+0x3f0/0xba0\n   binder_transaction+0x64c/0x3040\n   binder_thread_write+0x924/0x2020\n   binder_ioctl+0x1610/0x2e5c\n   __arm64_sys_ioctl+0xd4/0x120\n   el0_svc_common.constprop.0+0xac/0x270\n   do_el0_svc+0x38/0xa0\n   el0_svc+0x1c/0x2c\n   el0_sync_handler+0xe8/0x114\n   el0_sync+0x180/0x1c0\n\n  Allocated by task 559:\n   kasan_save_stack+0x38/0x6c\n   __kasan_kmalloc.constprop.0+0xe4/0xf0\n   kasan_slab_alloc+0x18/0x2c\n   kmem_cache_alloc+0x1b0/0x2d0\n   vm_area_alloc+0x28/0x94\n   mmap_region+0x378/0x920\n   do_mmap+0x3f0/0x600\n   vm_mmap_pgoff+0x150/0x17c\n   ksys_mmap_pgoff+0x284/0x2dc\n   __arm64_sys_mmap+0x84/0xa4\n   el0_svc_common.constprop.0+0xac/0x270\n   do_el0_svc+0x38/0xa0\n   el0_svc+0x1c/0x2c\n   el0_sync_handler+0xe8/0x114\n   el0_sync+0x180/0x1c0\n\n  Freed by task 560:\n   kasan_save_stack+0x38/0x6c\n   kasan_set_track+0x28/0x40\n   kasan_set_free_info+0x24/0x4c\n   __kasan_slab_free+0x100/0x164\n   kasan_slab_free+0x14/0x20\n   kmem_cache_free+0xc4/0x34c\n   vm_area_free+0x1c/0x2c\n   remove_vma+0x7c/0x94\n   __do_munmap+0x358/0x710\n   __vm_munmap+0xbc/0x130\n   __arm64_sys_munmap+0x4c/0x64\n   el0_svc_common.constprop.0+0xac/0x270\n   do_el0_svc+0x38/0xa0\n   el0_svc+0x1c/0x2c\n   el0_sync_handler+0xe8/0x114\n   el0_sync+0x180/0x1c0\n\n  [...]\n  ==================================================================\n\nTo prevent the race above, revert back to taking the mmap write lock\ninside binder_update_page_range(). One might expect an increase of mmap\nlock contention. However, binder already serializes these calls via top\nlevel alloc->mutex. Also, there was no performance impact shown when\nrunning the binder benchmark tests."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder_alloc.c"],"versions":[{"version":"dd2283f2605e3b3e9c61bcae844b34f2afa4813f","lessThan":"1bb8a65190d45cd5c7dbc85e29b9102110cd6be6","status":"affected","versionType":"git"},{"version":"dd2283f2605e3b3e9c61bcae844b34f2afa4813f","lessThan":"931ea1ed31be939c1efdbc49bc66d2a45684f9b4","status":"affected","versionType":"git"},{"version":"dd2283f2605e3b3e9c61bcae844b34f2afa4813f","lessThan":"ca0cc0a9c6e56c699e2acbb93d8024523021f3c3","status":"affected","versionType":"git"},{"version":"dd2283f2605e3b3e9c61bcae844b34f2afa4813f","lessThan":"d1d8875c8c13517f6fd1ff8d4d3e1ac366a17e07","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder_alloc.c"],"versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","status":"unaffected","versionType":"semver"},{"version":"5.15.115","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.31","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.3.5","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.115"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.1.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.3.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1bb8a65190d45cd5c7dbc85e29b9102110cd6be6"},{"url":"https://git.kernel.org/stable/c/931ea1ed31be939c1efdbc49bc66d2a45684f9b4"},{"url":"https://git.kernel.org/stable/c/ca0cc0a9c6e56c699e2acbb93d8024523021f3c3"},{"url":"https://git.kernel.org/stable/c/d1d8875c8c13517f6fd1ff8d4d3e1ac366a17e07"}],"title":"binder: fix UAF of alloc->vma in race with munmap()","x_generator":{"engine":"bippy-1.2.0"}}}}