CVE-2011-1823 | Vulnerability Database | Aqua Security

The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak.

Affected Software

Name	Vendor	Start Version	End Version
Android	Google	2.1 (including)	2.1 (including)
Android	Google	2.2 (including)	2.2 (including)
Android	Google	2.2-rev1 (including)	2.2-rev1 (including)
Android	Google	2.2.1 (including)	2.2.1 (including)
Android	Google	2.2.2 (including)	2.2.2 (including)
Android	Google	2.2.3 (including)	2.2.3 (including)
Android	Google	2.3-rev1 (including)	2.3-rev1 (including)
Android	Google	2.3.1 (including)	2.3.1 (including)
Android	Google	2.3.2 (including)	2.3.2 (including)
Android	Google	2.3.3 (including)	2.3.3 (including)
Android	Google	3.0 (including)	3.0 (including)

References

http://android.git.kernel.org/?p=platform/system/core.git%3Ba=commit%3Bh=b620a0b1c7ae486e979826200e8e441605b0a5d6
http://android.git.kernel.org/?p=platform/system/netd.git%3Ba=commit%3Bh=79b579c92afc08ab12c0a5788d61f2dd2934836f
http://android.git.kernel.org/?p=platform/system/vold.git%3Ba=commit%3Bh=c51920c82463b240e2be0430849837d6fdc5352e
http://androidcommunity.com/gingerbreak-root-for-gingerbread-app-20110421/
http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html
http://forum.xda-developers.com/showthread.php?t=1044765
http://www.androidpolice.com/2011/05/03/google-patches-gingerbreak-exploit-but-dont-worry-we-still-have-root-for-now/
http://xorl.wordpress.com/2011/04/28/android-vold-mpartminors-signedness-issue/
https://exchange.xforce.ibmcloud.com/vulnerabilities/67977

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-1823
CWE	https://cwe.mitre.org/data/definitions/189.html