CVE-2023-20928 - Binder.c Use-After-Free Vulnerability in Android Kernel Leading to Privilege Escalation

A critical vulnerability has been discovered in the Android Kernel, affecting the binder_vma_close() function of the binder.c file. This vulnerability, assigned the identifier CVE-2023-20928, could allow an attacker to escalate local privileges on affected devices, without requiring any user interaction or additional execution privileges.

In this post, we will dissect the details of this vulnerability, discuss how an attacker can exploit it, and provide some code snippets to help illustrate the issue. Finally, we will share links to the original references relating to this vulnerability, so that developers and security professionals can gain a better understanding of the issue and devise appropriate mitigation strategies.

Exploit Details

The binder_vma_close() function is responsible for handling the closing of binder memory allocations when a process is being terminated or when a binder instance is being destroyed. However, due to improper locking, there is a potential use-after-free scenario that can occur when working with binder.c.

In detail, the issue is caused by a race condition that can happen when multiple threads are accessing and modifying the same binder buffer object. This race condition could lead to the binder buffer object being freed while it is still in use by another thread. The consequence of this use-after-free vulnerability is that an attacker could potentially gain unauthorized access to sensitive information or execute arbitrary code with escalated privileges on the affected device.

Below is the problematic code snippet found in binder.c

void binder_vma_close(struct vm_area_struct *vma)
{
  struct binder_proc *proc = vma->vm_private_data;
  struct rb_node *n;
  struct binder_node *node;
  int do_free = ;

  for (n = rb_first(&proc->nodes); n != NULL; n = rb_next(n)) {
    node = rb_entry(n, struct binder_node, rb_node);
 
    if (!thread_group_empty(node->proc->tsk) &&
        node->proc->vma == vma) {
      spin_lock(&node->lock);
      node->proc->is_dead = 1;
      spin_unlock(&node->lock);
    }
  }

  /*Other code omitted for brevity*/

  if (do_free) {
    kfree(proc);
  }
}

As shown in the code snippet, the vulnerability originates from improper locking while iterating the binder nodes. With sufficient timing, this code could lead to the use-after-free scenario, thus allowing an attacker to exploit the vulnerability.

Original References

For more information on this issue, please refer to the upstream kernel documentation about the vulnerability:

- Upstream Kernel: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/android/binder.c

Conclusion

CVE-2023-20928 is a serious vulnerability affecting the Android kernel, which allows an attacker to escalate local privileges on a device without any user interaction. As software developers and security professionals, it is crucial for us to understand this vulnerability, devise appropriate mitigation strategies, and ensure that our Android devices are as secure as they can be.

If you have any questions or concerns about this vulnerability or how it might affect your devices, please feel free to reach out to the Android Security Team or go through the official Android source code and kernel documentation.

Timeline

Published on: 01/26/2023 21:18:00 UTC
Last modified on: 02/06/2023 19:15:00 UTC