{"id":"ASB-A-209791720", "published":"2022-04-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2021-39801", "A-209791720"], "details":"In ion_ioctl of ion-ioctl.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":":linux_kernel:", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":":0"}, {"fixed":":2022-04-05"}]}], "versions":["Kernel"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/kernel/common/+/504e1d6ee65d5", "https://android.googlesource.com/kernel/common/+/a8200613c8c9f", "https://android.googlesource.com/kernel/common/+/c47385c73fced"], "severity":"High", "spl":"2022-04-05", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["151033958707289077932689979513354046405", "216635458604075882410516048667531317036", "302664414490971408997864319493595674834", "221739946267379680246427709751205225781", "225733980763646134140239715297400349801", "205573501524462817502913143586070984544", "222786911308159080010190805770024787004", "208672130430734485746797742826257922828", "11610389113332808972779191315566787485", "5735080047482657032000385699806553598", "310462665825707919787718418861642143950", "103008139145088230189557335111397720498", "80106757133994343482217215752005749377", "251421797600579815286384243614451403060", "54690302684252438497159593156613049562"], "threshold":0.9}, "id":"ASB-A-209791720-003f29a7", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/c47385c73fced", "target":{"file":"drivers/staging/android/ion/ion-ioctl.c"}}, {"deprecated":false, "digest":{"function_hash":"257640874776738313320362658483379389384", "length":165}, "id":"ASB-A-209791720-00476d3e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f", "target":{"file":"drivers/staging/android/ion/ion.c", "function":"ion_handle_validate"}}, {"deprecated":false, "digest":{"function_hash":"194396682045491494479867707450503354625", "length":997}, "id":"ASB-A-209791720-3941d19a", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5", "target":{"file":"drivers/staging/android/ion/ion.c", "function":"ion_alloc"}}, {"deprecated":false, "digest":{"line_hashes":["115316621478917446111076648487400790093", "213608249474176736864228350980329419459", "161788460852369129312235424821745585785", "135617328054686189623692053771021851855", "165406810494529109394699560786033572828"], "threshold":0.9}, "id":"ASB-A-209791720-5d8783ef", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f", "target":{"file":"drivers/staging/android/ion/ion.c"}}, {"deprecated":false, "digest":{"line_hashes":["169032866111039584027050290384993199818", "45260048469060672154123496409544231969", "109798341365019266796925823364778754703", "23492863868278338197414794809765120393", "135575277495845586430922187484187761214", "14159644319171079361058387496568664809", "49565967641699121164462378510102989089", "205007637486206190812880135691145173827", "286456444278515149960324215844959712534", "335328932922453855797786703943064981072", "117846597220734447697643058427326609179", "298768025420993361783823801269014974710", "139022679760657808204069842830364986076", "103008139145088230189557335111397720498", "97784340856823063467455758773913511647", "54601529414435026616427798900040392104", "295049293083888451023542091012574865351", "154518143699404748536457234681962189006", "47616660811352131265273323140432238849", "312712170788142948634017861087406518434", "162312064554073253917769600024249479953", "49876865655404111109909385162452499600"], "threshold":0.9}, "id":"ASB-A-209791720-6dcf5156", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f", "target":{"file":"drivers/staging/android/ion/ion-ioctl.c"}}, {"deprecated":false, "digest":{"line_hashes":["72030289616729065893074888938306378018", "203828467542625958953853030784127242982", "221106329187612027717753517310982106318"], "threshold":0.9}, "id":"ASB-A-209791720-87a7046c", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5", "target":{"file":"drivers/staging/android/ion/ion.h"}}, {"deprecated":false, "digest":{"function_hash":"199726031936338387520154907803516144643", "length":2254}, "id":"ASB-A-209791720-b90567aa", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f", "target":{"file":"drivers/staging/android/ion/ion-ioctl.c", "function":"ion_ioctl"}}, {"deprecated":false, "digest":{"line_hashes":["252964648987737316041003505877199307967", "286306285580761724214672628370304881257", "272996489787136708497938920513206387268", "124501695248120607727793710911504574049", "273315269955682704448441174283122383550", "124986485248968300642481103801406421945", "301357216895032312203679321575057657646"], "threshold":0.9}, "id":"ASB-A-209791720-db0ef49e", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f", "target":{"file":"drivers/staging/android/ion/ion_priv.h"}}, {"deprecated":false, "digest":{"function_hash":"193762571505050839149557422263497255083", "length":2418}, "id":"ASB-A-209791720-ef5cf0ba", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/c47385c73fced", "target":{"file":"drivers/staging/android/ion/ion-ioctl.c", "function":"ion_ioctl"}}, {"deprecated":false, "digest":{"function_hash":"167391083008459275423407210704065747708", "length":2194}, "id":"ASB-A-209791720-f654ae31", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5", "target":{"file":"drivers/staging/android/ion/ion-ioctl.c", "function":"ion_ioctl"}}, {"deprecated":false, "digest":{"line_hashes":["234169670576267102804229620753238111498", "325437771204467165614668530822809638663", "244605751180689327088290003111144478609", "148326263044794487929845218259641970817", "123880761713220177931956264222623010877", "237930637910431024811205228433767112225", "41428011087008769976365949201988140769", "198311571423132510927805749041089391906", "244207441712928132596878135121434199488", "215253039158303253160431955927876565085", "182196715250716146213728330906729209937", "248250597680557493742077190509874551952", "278253701601950672219683139226723151853", "201541717412904143452260414197344225132"], "threshold":0.9}, "id":"ASB-A-209791720-f76d470b", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5", "target":{"file":"drivers/staging/android/ion/ion-ioctl.c"}}, {"deprecated":false, "digest":{"line_hashes":["257737927408165704806799185401347417491", "244198503613174304217601679170999417096", "289109822885074938276036798598302941116", "302902507409333248070956712292208314863", "317191527901081197482347274890779005232", "320877193886064486212943847598354552050", "93929187523131189838550234545780551614", "165027308652524208329242819120042559829", "322321429631813108620020529978070545106", "209613764484524100735470668749321669392", "157952586831566872996180551778066034841", "32610049557441676041268696173107650180", "200751683175214098855700849041843731504", "195568203124863052195549374361046822207"], "threshold":0.9}, "id":"ASB-A-209791720-fee44e35", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5", "target":{"file":"drivers/staging/android/ion/ion.c"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2022-04-01"}, {"type":"FIX", "url":"https://android.googlesource.com/kernel/common/+/504e1d6ee65d5"}, {"type":"FIX", "url":"https://android.googlesource.com/kernel/common/+/a8200613c8c9f"}, {"type":"FIX", "url":"https://android.googlesource.com/kernel/common/+/c47385c73fced"}]}