Binder CVE-2020-0041

Introduced at 02 Feb 2019

Found by Syzcaller at 18 Jun 2019, C-repro

Upstream patch at 13 Dec 2019

Patched in Android 03 Mar 2020 (bulletin still does not exists)

*UPD:* today section Kernel components appeared in (already) published bulletin:

CVE-2020-0041 A-145988638 Upstream kernel EoP High Binder

as well as CVE-2020-0040

CVE-2020-0040 A-143009752 Upstream kernel EoP High Networking

(introduced in 7f582b248d0a86bae5788c548d7bb5bca6f7691a at 14 May 2018

Disable early PCI DMA

src

Unfortunately this bit is under the control of the device itself, so a malicious device can just ignore this and do DMA anyway.

Fortunately, PCI bridges and PCIe root ports should only forward DMA transactions if their busmaster bit is set. If we clear that then any devices downstream of the bridge or port shouldn't be able to DMA, no matter how malicious they are. But this did have the potential for breaking devices that were still carrying out DMA. Possible solution is to call the driver shutdown code for each device behind a bridge before disabling DMA on the bridge, which in theory makes this safe but does still depend on the firmware drivers behaving correctly.


Bonus: 1bit infoleak (Commit)

BINDER_LOOPER_STATE_POLL introduced in

1b77e9dcc3da9359f5936a7a4a0b5b6585c5e37e
Author: Martijn Coenen 2017-08-31 11:04:18
Committer: Greg Kroah-Hartman 2017-09-01 10:20:12
Parent: 8ef4665aa129a14f3733efc651c53a3c6c47b500 (android: binder: Add page usage in binder stats)
Child: 408c68b17aea2f23236cdb49b6c060e0ded846ed (ANDROID: binder: push new transactions to waiting threads.)
Branches: master, remotes/origin/linux-4.14.y, remotes/origin/linux-4.15.y, remotes/origin/linux-4.16.y, remotes/origin/linux-4.17.y, remotes/origin/linux-4.18.y, remotes/origin/linux-4.19.y, remotes/origin/linux-4.20.y, remotes/origin/linux-5.0.y, remotes/origin/linux-5.1.y, remotes/origin/linux-5.2.y, remotes/origin/linux-5.3.y, remotes/origin/master
Follows: v4.13-rc7
Precedes: v4.14-rc1


binder_thread_release introduced in
7a4408c6bd3eb1dafba67986259191be081e3efb
Author: Todd Kjos 2017-06-29 22:01:57
Committer: Greg Kroah-Hartman 2017-07-17 15:48:23
Parent: eb34983ba170f236b6801c7bee717da6abe4aff0 (binder: make sure target_node has strong ref)
Child: 372e3147df7016ebeaa372939e8774a1292db558 (binder: refactor binder ref inc/dec for thread safety)
Branches: master, remotes/origin/linux-4.14.y, remotes/origin/linux-4.15.y, remotes/origin/linux-4.16.y, remotes/origin/linux-4.17.y, remotes/origin/linux-4.18.y, remotes/origin/linux-4.19.y, remotes/origin/linux-4.20.y, remotes/origin/linux-5.0.y, remotes/origin/linux-5.1.y, remotes/origin/linux-5.2.y, remotes/origin/linux-5.3.y, remotes/origin/master
Follows: v4.13-rc1
Precedes: v4.14-rc1

UPD:
f5cb779ba16334b45ba8946d6bfa6d9834d1527f
author Martijn Coenen <maco@android.com> 2018-01-05 11:27:07 +0100
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-01-09 17:54:01 +0100
commit f5cb779ba16334b45ba8946d6bfa6d9834d1527f (patch)
tree 0f7f2740c619c56e5d5d86a69a369cd2a7890649
parent 16ae30ea17cdd2b67f486c3518592067c8f9cc62 (diff)

Фотоувеличители и объективы

Фотоувеличители:
- Krokus 4 Color N
- Дон 110 (2 шт)

Объективы:
- Gelios 44-M2 (42mm, фильтр 52mm)
- Мир-1B (42mm)
- И-61 (39mm)
- Индустар 50У-1 (42mm)

От фотоувеличителей:
- Вега-1У (39mm) от Дон-110
- Mikar (42mm) от Krokus

Переходники:
- 42-42 (l=28)
- 42-42 (l=21)
- 42-39 (l=3.75) 39мм объектив вкрутить в 42мм байонет