(CVE-2024-26923) Android AF_UNIX Garbage Collector Race Condition Leading to Use-After-Free
CVE: CVE-2024-26923
Affected Versions: Android 14 (google/bluejay/bluejay:14/AP1A.240405.002/11480754:user/release-keys); Linux kernel >= 2.6.23
CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
| Product | Android |
|---|---|
| Vendor | |
| Severity | High — exploitable from within untrusted_app or isolated_app SELinux context to achieve local privilege escalation |
| Affected Versions | Android 14 (AP1A.240405.002); Linux kernel >= 2.6.23 through 6.8.x |
| CVE Identifier | CVE-2024-26923 |
| CVE Description | A race condition in the Linux kernel AF_UNIX garbage collector leads to a dangling pointer in gc_inflight_list, exploitable for local privilege escalation on Android |
| CWE Classification(s) | CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization (Race Condition) |
CVSS3.1 Scoring System
Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | Low |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Product Background
A Unix domain socket (UDS, or IPC socket) is a data communications endpoint for exchanging data between processes executing on the same host. Identified by address family AF_UNIX, it is a fundamental component of *nix operating systems and is heavily used in Android for inter-process communication.
Description of the vulnerability
The vulnerability is a race condition use-after-free in the Linux kernel’s Unix socket garbage collector, exploitable within the untrusted_app or isolated_app SELinux context on Android — meaning it is reachable from a normal third-party application with no special privileges.
The garbage collector does not account for the risk of an embryo socket being enqueued during collection. If such an embryo has a peer carrying SCM_RIGHTS, two consecutive passes of scan_children() may observe a different set of children, leading to an incorrectly elevated inflight count and a dangling pointer within gc_inflight_list.
The race can be illustrated as follows, with three actors: S (an unconnected socket), L (a listening in-flight socket bound to an address, not in the file descriptor table), and V (a socket whose fd will be passed via sendmsg(), bumping the inflight count):
connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc()
---------------- ------------------------- -----------
NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
// V count=1 inflight=0
NS = unix_peer(S)
skb2 = sock_alloc()
skb_queue_tail(NS, skb2[V])
// V became in-flight
// V count=2 inflight=1
close(V)
// V count=1 inflight=1
// GC candidate condition met
for u in gc_inflight_list:
if (total_refs == inflight_refs)
add u to gc_candidates
// gc_candidates={L, V}
for u in gc_candidates:
scan_children(u, dec_inflight)
// embryo (skb1) was not
// reachable from L yet, so V's
// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
for u in gc_candidates:
if (u.inflight)
scan_children(u, inc_inflight_move_tail)
// V count=1 inflight=2 (!)
The fix ensures that if a GC-candidate listening socket is present, the GC acquires and releases its state lock, forcing the collector to wait until any ongoing connect() to that socket completes. After releasing the lock, any SCM-laden embryo is already enqueued, and any subsequent embryo cannot carry SCM_RIGHTS. At that point, unix_inflight() cannot occur because unix_gc_lock is already held, leaving the inflight graph unaffected.
Fix
The vulnerability was addressed in the Android kernel via four commits to the Android Common Kernel:
The upstream Linux kernel fix for the same underlying race is 47d8ac01. A related variant of this race condition was separately assigned CVE-2024-36972.
Credit
Billy Jheng Bing-Jhong and Pan Zhenpeng of STAR Labs SG Pte. Ltd.
Timeline
- 2024-04-22 — Reported to Google Android Security Team
- 2024-04-25 — CVE-2024-26923 assigned and published
- 2024-07-01 — Patch released in Android Security Bulletin — July 2024