Linux Kernel FDA Object Length Zero Handling Vulnerability in Rust Binder Driver

A vulnerability in the Linux kernel's Rust Binder driver has been addressed, specifically related to the handling of empty file descriptor array (FDA) objects. An empty FDA object with zero file descriptors could trigger an out-of-bounds error. The issue arose because the implementation interpreted a skip length of zero as a pointer fixup, while zero also correctly indicates an empty FDA. If the FDA is positioned at the end of the buffer, this misinterpretation leads to an attempt to write eight bytes out of bounds. Although the error is caught and an 'Invalid Argument' error is returned to userspace, the root cause was a misunderstanding of the skip length, a pattern inherited from the C implementation of the Binder framework. The vulnerability was identified and reported by a user.

Impact

Exploitation of this vulnerability could lead to out-of-bounds memory access, a common source of memory corruption issues, which could potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux Kernel Archives.