CVE-2021-46935

In the Linux kernel, the following vulnerability has been resolved: binder:
fix async_free_space accounting for empty parcels In 4.13, commit
74310e06be4d (“android: binder: Move buffer out of area shared with user
space”) fixed a kernel structure visibility issue. As part of that patch,
sizeof(void *) was used as the buffer size for 0-length data payloads so
the driver could detect abusive clients sending 0-length asynchronous
transactions to a server by enforcing limits on async_free_size.
Unfortunately, on the “free” side, the accounting of async_free_space did
not add the sizeof(void *) back. The result was that up to 8-bytes of
async_free_space were leaked on every async transaction of 8-bytes or less.
These small transactions are uncommon, so this accounting issue has gone
undetected for several years. The fix is to use “buffer_size” (the
allocated buffer size) instead of “size” (the logical buffer size) when
updating the async_free_space during the free operation. These are the same
except for this corner case of asynchronous transactions with payloads < 8
bytes.