{"id":"PUB-A-196011539","details":"In check_stack_write_fixed_off and related functions of verifier.c, there is a possible out of bounds read due to side channel information disclosure. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-196011539","CVE-2021-34556"],"modified":"2026-03-11T06:36:00.691385Z","published":"2022-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-06-01"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/dbb65264ffd6b"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/f5893af2704eb"},{"type":"FIX","url":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"}],"affected":[{"package":{"name":":linux_kernel:","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":":0"},{"fixed":":2022-06-05"}]}],"versions":["Kernel"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/dbb65264ffd6b","https://android.googlesource.com/kernel/common/+/f5893af2704eb","https://android.googlesource.com/kernel/common/+/e80c3533c354e"],"types":["EoP"],"spl":"2022-06-05","vanir_signatures":[{"deprecated":false,"signature_type":"Line","target":{"file":"kernel/bpf/disasm.c"},"id":"PUB-A-196011539-0d1072bc","signature_version":"v1","digest":{"line_hashes":["305205531802512017341163242226428153734","2585488129044331379047924650191033827","148647100567595964458019309735188144803","11942775594437908850679622134388458838","97380285631030218893061090657490387607","26028520635434484714737686679692895826","333889995909599102164999837277302371302","38416344364069209752327229388128081599","207180574071642262579878751953174229429","1140989656416146924460359855437808578","113863379513992470071379891876391522505","307526790653733229708139941107497589454"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"arch/s390/net/bpf_jit_comp.c"},"id":"PUB-A-196011539-0d943206","signature_version":"v1","digest":{"line_hashes":["173660151941257730778813155425447364132","27772917760678754337489395758997074697","4263981723230181936059574982541179791"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"kernel/bpf/verifier.c"},"id":"PUB-A-196011539-1c594aa7","signature_version":"v1","digest":{"line_hashes":["182488854690131797179066901887341540660","271173009328449815751821293458703451261","310174186534106498378868599311591280734","306542011294882954839953280146778342247","132529824464294092347516084025771305298","42774686486507674610697058585972372360","260359734910341384759439501628321889120","224655504302895966056038885098724495313","172586013935325408217766215477921052400","88663099339171433394887398805668896698","239399788995562905542893076457609826425","221401223387386154951881283578996855299","229377854323876157569224497146028075509","247847762457780231745944532620142726450","271328050391475722204129399657126311439","46513734829533060784782346837014843387","165171486799336320298270476480255857068","166428563734035799488706642278942050893","127938973500247587070161880066109034458","245735939258177471603765104448108917404","250481030738615036249574667283386740143","275375053391720368827897309270554922894","159527063965145643335309017096916471174","138932296751521324227780776623230154682","31338249366753241842434874153940092616","96558649734884107384889423090309872093","190700710210124230146937663722868917568","152517857441149867716972459265497063870","22886338686594838692324868792114923327","89608777941249804165992409815226845501","164160132678214999393523747541543861094","147573548943209720119237727655722207220","136636566013627829656115230913044548909","160917965473231298632224284240755582354","338410234862485064619864446859203040752","164752595107537758429194428834466207833","54924373031309107042229081057119906850","198529728826417249931535274056088378069","197127656020610365676307850299446752520","35399565883064119000548458521882442670","76475207340392274811600610366507367866","149371392150700186795644515949988392287","98795928228412693057733707089629424777","9965775337711935670052853055366478745","91780692971781325790009085792317569474","265152040855936153257612278913824457872","35609477671410479413244585492377728830","92054791574216593935447256905368484040","132559283577510594087545133429006974830","219118816130789100484258016385301035294","296214834374187139324085624602185753726","227964857960370696191335950781380443044","240765184995665736112152564590072645065","135165977311923425541691055636753176656","187046352186973719914360432949319324966","107335059204794406756503351502439680243","331485834681216573380197613344709310821","304931068564504553758104497457885925574","19041751437076259009393232264029286152"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/f5893af2704eb"},{"deprecated":false,"signature_type":"Function","target":{"function":"emit_insn","file":"arch/riscv/net/bpf_jit_comp.c"},"id":"PUB-A-196011539-22eb820e","signature_version":"v1","digest":{"length":20577,"function_hash":"147097370526842176586445499829872231395"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"include/linux/bpf_verifier.h"},"id":"PUB-A-196011539-309489b1","signature_version":"v1","digest":{"line_hashes":["11827588269367780017347289816531254555","220082853007074704731493766471270654569","126240876126904056082089562739253149368","289413636288731032902716552852739685287","336432879129980519975502918492542684776"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/f5893af2704eb"},{"deprecated":false,"signature_type":"Function","target":{"function":"bpf_jit_build_body","file":"arch/powerpc/net/bpf_jit_comp64.c"},"id":"PUB-A-196011539-351f901c","signature_version":"v1","digest":{"length":15297,"function_hash":"294174256643244717990544565580314159508"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"arch/x86/net/bpf_jit_comp32.c"},"id":"PUB-A-196011539-484e41fc","signature_version":"v1","digest":{"line_hashes":["72534822758079915980677350792303826845","312355728147259808235924515605054701913","41883834944338936064645645634184576215","203971995369681977278253899268290694588"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"arch/sparc/net/bpf_jit_comp_64.c"},"id":"PUB-A-196011539-4ed7f0db","signature_version":"v1","digest":{"line_hashes":["336469752589275220962874764838447015688","115775195130646679520828912797132990136","203260536078357932351193061581570506613","42433511099458747828196898234257018505"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Function","target":{"function":"___bpf_prog_run","file":"kernel/bpf/core.c"},"id":"PUB-A-196011539-56a6a0f2","signature_version":"v1","digest":{"length":4912,"function_hash":"174406747325980166482342059940882943639"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"kernel/bpf/core.c"},"id":"PUB-A-196011539-5c28def9","signature_version":"v1","digest":{"line_hashes":["334425439011962791381592573281576298580","278598289266191292183677601258691859591","107464823516679137706415161502274837150","313114587670471334334109005906838448214","291268397393893035706117144421732631702","78310186429295441904679599038208174377","62494668812812288361536101247448134900","22754680778273445770346211853086263252","165251615613666145827868125428450880499","132761906266490723107362312355046312489"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Function","target":{"function":"print_bpf_insn","file":"kernel/bpf/disasm.c"},"id":"PUB-A-196011539-6b2a2c45","signature_version":"v1","digest":{"length":4923,"function_hash":"17901772029901263384751066157435205010"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"arch/arm/net/bpf_jit_32.c"},"id":"PUB-A-196011539-8fa7aa27","signature_version":"v1","digest":{"line_hashes":["210430695689933423595888837903362155935","77043016451871767575502101027888169017","192158866918440344333095817543020214860","317590910850770164377588802317992428603"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Function","target":{"function":"do_jit","file":"arch/x86/net/bpf_jit_comp.c"},"id":"PUB-A-196011539-902dc469","signature_version":"v1","digest":{"length":14228,"function_hash":"208112688175208328229765726249175109175"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Function","target":{"function":"check_stack_write","file":"kernel/bpf/verifier.c"},"id":"PUB-A-196011539-9c7fef19","signature_version":"v1","digest":{"length":2548,"function_hash":"260978440460247104333046083795496536256"},"source":"https://android.googlesource.com/kernel/common/+/f5893af2704eb"},{"deprecated":false,"signature_type":"Function","target":{"function":"build_one_insn","file":"arch/mips/net/ebpf_jit.c"},"id":"PUB-A-196011539-9fb08292","signature_version":"v1","digest":{"length":21931,"function_hash":"299076448839503224067133098884644342144"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"arch/mips/net/ebpf_jit.c"},"id":"PUB-A-196011539-bbc92709","signature_version":"v1","digest":{"line_hashes":["1646315126352610310457325096472724998","135755401831858035681234605402382006889","110161445262095099042502702061791132824"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Function","target":{"function":"bpf_jit_insn","file":"arch/s390/net/bpf_jit_comp.c"},"id":"PUB-A-196011539-c3c9701a","signature_version":"v1","digest":{"length":14758,"function_hash":"109494238402991963395103761251491891155"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":true,"signature_type":"Line","target":{"file":"arch/powerpc/net/bpf_jit_comp64.c"},"id":"PUB-A-196011539-d5becb1d","signature_version":"v1","digest":{"line_hashes":["173660151941257730778813155425447364132","252665618640681091725949245853377867368","76245782363213252508968248274802784227"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"arch/x86/net/bpf_jit_comp.c"},"id":"PUB-A-196011539-d7c666c8","signature_version":"v1","digest":{"line_hashes":["167134435101084351807236780687715055186","160423127365116280587457800023300818300","121038820279835434383138199264553771259"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"arch/riscv/net/bpf_jit_comp.c"},"id":"PUB-A-196011539-f3dceb8b","signature_version":"v1","digest":{"line_hashes":["159990288689827447531468667024654920213","273959493138064794292009507429715246206","305538873591662001874145354440068119470"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Function","target":{"function":"build_insn","file":"arch/sparc/net/bpf_jit_comp_64.c"},"id":"PUB-A-196011539-f4b2a4d8","signature_version":"v1","digest":{"length":13050,"function_hash":"214414488703278193114809950214223350654"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Function","target":{"function":"convert_ctx_accesses","file":"kernel/bpf/verifier.c"},"id":"PUB-A-196011539-f4ddc77e","signature_version":"v1","digest":{"length":3547,"function_hash":"216580944146069769674694690094967279470"},"source":"https://android.googlesource.com/kernel/common/+/f5893af2704eb"},{"deprecated":false,"signature_type":"Function","target":{"function":"do_jit","file":"arch/x86/net/bpf_jit_comp32.c"},"id":"PUB-A-196011539-f685a7ff","signature_version":"v1","digest":{"length":18377,"function_hash":"182897166988313984679366921934437898836"},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"},{"deprecated":false,"signature_type":"Line","target":{"file":"arch/arm64/net/bpf_jit_comp.c"},"id":"PUB-A-196011539-f7e33015","signature_version":"v1","digest":{"line_hashes":["339514062178109867062255709368080292924","63626503530458387618262136138259433317","317590910850770164377588802317992428603"],"threshold":0.9},"source":"https://android.googlesource.com/kernel/common/+/e80c3533c354e"}],"severity":"Moderate"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/PUB-A-196011539.json"}}],"schema_version":"1.7.5"}