{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-56555","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-27T14:03:05.990Z","datePublished":"2024-12-27T14:23:01.650Z","dateUpdated":"2025-10-01T20:07:16.206Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:58:14.520Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix OOB in binder_add_freeze_work()\n\nIn binder_add_freeze_work() we iterate over the proc->nodes with the\nproc->inner_lock held. However, this lock is temporarily dropped to\nacquire the node->lock first (lock nesting order). This can race with\nbinder_deferred_release() which removes the nodes from the proc->nodes\nrbtree and adds them into binder_dead_nodes list. This leads to a broken\niteration in binder_add_freeze_work() as rb_next() will use data from\nbinder_dead_nodes, triggering an out-of-bounds access:\n\n  ==================================================================\n  BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124\n  Read of size 8 at addr ffffcb84285f7170 by task freeze/660\n\n  CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   rb_next+0xfc/0x124\n   binder_add_freeze_work+0x344/0x534\n   binder_ioctl+0x1e70/0x25ac\n   __arm64_sys_ioctl+0x124/0x190\n\n  The buggy address belongs to the variable:\n   binder_dead_nodes+0x10/0x40\n  [...]\n  ==================================================================\n\nThis is possible because proc->nodes (rbtree) and binder_dead_nodes\n(list) share entries in binder_node through a union:\n\n\tstruct binder_node {\n\t[...]\n\t\tunion {\n\t\t\tstruct rb_node rb_node;\n\t\t\tstruct hlist_node dead_node;\n\t\t};\n\nFix the race by checking that the proc is still alive. If not, simply\nbreak out of the iteration."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder.c"],"versions":[{"version":"d579b04a52a183db47dfcb7a44304d7747d551e1","lessThan":"6b1be1da1f8279cf091266e71b5153c5b02aaff6","status":"affected","versionType":"git"},{"version":"d579b04a52a183db47dfcb7a44304d7747d551e1","lessThan":"011e69a1b23011c0db3af4b8293fdd4522cc97b0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.12.4","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6b1be1da1f8279cf091266e71b5153c5b02aaff6"},{"url":"https://git.kernel.org/stable/c/011e69a1b23011c0db3af4b8293fdd4522cc97b0"}],"title":"binder: fix OOB in binder_add_freeze_work()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.1,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-56555","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T20:02:16.414215Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-125","description":"CWE-125 Out-of-bounds Read"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T20:07:16.206Z"}}]}}