Binder - Analysis and exploitation of CVE-2020-0041

In December 2019, a new Binder commit was pushed in the Linux kernel. This patch fixes the calculation of an index used to process specific types of objects in a Binder transaction.

This article studies the implication of the corrected issue, why it's a security bug and how to take avantage of it.

Reading the previous article about binder internals is strongly recommended before reading this article.

Binder Secctx Patch Analysis

In the beginning of 2019, a new feature was added in the Binder kernel module. This patch allows to send the caller SElinux context in a Binder transaction. This feature was in fact a fix for CVE-2019-2023. This vulnerability is related to an unsafe use of the getpidcon function, leading to ACL bypass.

This article studies details of this patch and its impact on security.

Binder transactions in the bowels of the Linux Kernel

Binder is the main IPC/RPC (Inter-Process Communication) system in Android. It allows applications to communicate with each other and it is the base of several important mechanisms in the Android environment. For instance, Android services are built on top of Binder. Message exchanged with Binder are called binder transactions, they can transport simple data such as integers but also process more complex structures like file descriptors, memory buffers or weak/strong references on objects. There are a lot of interesting Binder documentations available on the Internet but quite few details on how messages are translated from a process to another. This article tries to describe how Binder handles messages and performs translations of complex objects (file descriptors, pointers) between different processes. For this, a binder transaction will be followed from userland to the binder kernel.

Page 1 / 1