CVE-2025-40028
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
binder: fix double-free in dbitmap
A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap via dbitmap_free(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-free error:
================================================================== BUG: KASAN: double-free in binder_proc_dec_tmpref+0x2e0/0x55c Free of addr ffff00000b7c1420 by task kworker/9:1/209
CPU: 9 UID: 0 PID: 209 Comm: kworker/9:1 Not tainted 6.17.0-rc6-dirty #5 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: kfree+0x164/0x31c binder_proc_dec_tmpref+0x2e0/0x55c binder_deferred_func+0xc24/0x1120 process_one_work+0x520/0xba4 […]
Allocated by task 448: __kmalloc_noprof+0x178/0x3c0 bitmap_zalloc+0x24/0x30 binder_open+0x14c/0xc10 […]
Freed by task 449: kfree+0x184/0x31c binder_inc_ref_for_node+0xb44/0xe44 binder_transaction+0x29b4/0x7fbc binder_thread_write+0x1708/0x442c binder_ioctl+0x1b50/0x2900 […]
Fix this issue by marking proc->map NULL in dbitmap_free().
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 15d9da3f818cae676f822a04407d3c17b53357d2 < c301ec61ce6f16e21a36b99225ca8a20c1591e10 | affected |
| Linux | Linux | 15d9da3f818cae676f822a04407d3c17b53357d2 < 0390633979969c54c0ce6a198d6f45cdbe2c84b1 | affected |
| Linux | Linux | 15d9da3f818cae676f822a04407d3c17b53357d2 < b781e5635a3398e2b64440371233c2c5102cd6cb | affected |
| Linux | Linux | 15d9da3f818cae676f822a04407d3c17b53357d2 < 3ebcd3460cad351f198c39c6edb4af519a0ed934 | affected |
| Linux | Linux | 6.11 | affected |
| Linux | Linux | 0 < 6.11 | unaffected |
| Linux | Linux | 6.12.52 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.12 <= 6.16.* | unaffected |
| Linux | Linux | 6.17.2 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c301ec61ce6f16e21a36b99225ca8a20c1591e10
- https://git.kernel.org/stable/c/0390633979969c54c0ce6a198d6f45cdbe2c84b1
- https://git.kernel.org/stable/c/b781e5635a3398e2b64440371233c2c5102cd6cb
- https://git.kernel.org/stable/c/3ebcd3460cad351f198c39c6edb4af519a0ed934
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.