CVE-2024-26606 - Linux Kernel Vulnerability: Binder Signal Epoll Threads of Self-Work

A recently discovered vulnerability, CVE-2024-26606, has been resolved in the Linux kernel. This vulnerability lies in the binder mechanism, where the epoll threads handling the binder operation's work queue must be signaled correctly to avoid them waiting indefinitely and potentially causing the system to hang.

Background

In a typical Linux kernel, binder facilitates communication between processes, allowing threads to execute tasks across process boundaries. When a thread initiates a command via BINDER_WRITE_READ without a read buffer, it relies on epoll_wait() or a similar mechanism to consume responses. These epoll threads depend on I/O events to determine when data is ready for consumption.

The Vulnerability

The vulnerability arises in the Linux kernel's binder implementation when epoll threads are not properly signaled via wakeup. When an epoll thread queues its own work, it may risk waiting indefinitely for an event due to the missing wakeup signal. This could cause the work to go unhandled and subsequently lead to other commands not triggering a wakeup, as pending work is already present. As a result, the system may become unresponsive, potentially compromising performance and stability.

Exploit Details

This issue affects Linux kernel versions prior to the patch and can be exploited by a malicious actor with access to a binder-enabled process. The code snippet below demonstrates how an attacker might initiate a command via BINDER_WRITE_READ, enqueue work, and trigger the vulnerability:

struct binder_write_read bwr;
struct binder_buffer *buffer;
ssize_t ret;

bwr.write_size = sizeof(struct binder_buffer);
bwr.write_buffer = (binder_uintptr_t)&buffer;
bwr.read_size = ;
bwr.read_buffer = ;

ret = ioctl(binder_fd, BINDER_WRITE_READ, &bwr);
if (ret < ) {
    // Handle the error case
} else {
    // Enqueue work and trigger the vulnerability
    epoll_event event;
    epoll_wait(epoll_fd, &event, 1, -1);
}

This code demonstrates how the vulnerability might be exploited, showing the missing wakeup signal, leading to the epoll_wait() function potentially waiting indefinitely.

Resolution

To address this vulnerability, a patch has been incorporated into the Linux kernel to ensure that epoll threads are signaled correctly with a wakeup when they enqueue work, allowing the system to remain responsive and process other tasks.

Original References

The official Linux kernel commit that resolves this vulnerability can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fbc8fce55076a656ac17eb479bcf09afde6ee1

The official description and details of CVE-2024-26606 can be found here

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26606

Conclusion

CVE-2024-26606 highlights the importance of proper signal handling and epoll thread management in the Linux kernel binder implementation. By addressing this vulnerability with a patch, the Linux kernel ensures that systems running affected versions are protected from performance and stability issues that might arise from this vulnerability. Make sure to keep your Linux kernel up-to-date and apply patches as needed to safeguard your system.

Timeline

Published on: 02/26/2024 16:28:00 UTC
Last modified on: 04/17/2024 17:49:01 UTC