Linux Kernel Binder Double-Free Vulnerability in Bitmap Management

A double-free vulnerability has been identified in the Linux kernel's binder component, specifically in the handling of bitmaps within processes. This issue arises when a process attempts to expand its bitmap allocation but fails, leading the system to free the old bitmap. However, upon the process's termination, the binder driver inadvertently frees the same bitmap again, causing a double-free error. This vulnerability has been observed in Linux kernel versions prior to 6.17.0-rc6.

Impact

Exploitation of this vulnerability leads to a double-free error, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a process that allocates a bitmap for descriptor management. When the process attempts to expand the bitmap but fails, the system will free the old bitmap. If the process is then terminated, the binder driver will call the free function again on the same bitmap, leading to a double-free condition. This can be observed in the kernel's workqueue events, where the binder_deferred_func processes the termination of the process.

Remediation

Users can upgrade to Linux kernel versions 6.17.0-rc6 or later, where this vulnerability has been fixed. Instructions for downloading the latest version can be found on the official Linux kernel website.