Linux Kernel Binder Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's binder component. This issue arises in versions of the kernel that include commit 44e602b4e52f, which added missing mmap_lock calls when using the VMA. The vulnerability occurs when a binder process receives a transaction before the binder_proc's allocation space has been initialized, leading to a null pointer dereference. A similar issue arises when dumping the debugfs binder statistics, causing a crash.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a kernel crash.

Reproduction

The vulnerability can be reproduced by sending a transaction to a binder process that has not yet initialized its allocation space. This can be done using a syzkaller executor, which will trigger the null pointer dereference by attempting to acquire a lock on an uninitialized memory reference.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the binder allocation process to ensure that the mmap_lock is properly acquired before handling transactions. Users should upgrade to a patched version of the kernel.