There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach.

In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or UAF (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.

As we don't have a device (nor see any examples of existing Android devices) containing the necessary kernel configuration (CONFIG_QRTR_BPF_FILTER), we are presently unable to reproduce a crash for this bug. If you're aware of this option being enabled on any production kernels, I would be interested to know!

This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2024-09-22.

For more details, see the Project Zero vulnerability disclosure policy:
https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-
policy.html

NOTE:
This was originally reported as a non-security issue on June 17th, however Qualcomm has confirmed that there are affected devices and that they consider this a security issue, so adding this to the tracker.


Related CVE Number: CVE-2024-38401.