Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47082

Severity CVSS v4.0:
Pending analysis
Type:
CWE-415 Double Free
Publication date:
04/03/2024
Last modified:
14/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tun: avoid double free in tun_free_netdev<br /> <br /> Avoid double free in tun_free_netdev() by moving the<br /> dev-&gt;tstats and tun-&gt;security allocs to a new ndo_init routine<br /> (tun_net_init()) that will be called by register_netdevice().<br /> ndo_init is paired with the desctructor (tun_free_netdev()),<br /> so if there&amp;#39;s an error in register_netdevice() the destructor<br /> will handle the frees.<br /> <br /> BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605<br /> <br /> CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1<br /> Hardware name: Red Hat KVM, BIOS<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106<br /> print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247<br /> kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372<br /> ____kasan_slab_free mm/kasan/common.c:346 [inline]<br /> __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374<br /> kasan_slab_free include/linux/kasan.h:235 [inline]<br /> slab_free_hook mm/slub.c:1723 [inline]<br /> slab_free_freelist_hook mm/slub.c:1749 [inline]<br /> slab_free mm/slub.c:3513 [inline]<br /> kfree+0xac/0x2d0 mm/slub.c:4561<br /> selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605<br /> security_tun_dev_free_security+0x4f/0x90 security/security.c:2342<br /> tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215<br /> netdev_run_todo+0x4df/0x840 net/core/dev.c:10627<br /> rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112<br /> __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302<br /> tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:874 [inline]<br /> __se_sys_ioctl fs/ioctl.c:860 [inline]<br /> __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19.280 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.240 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.136 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.12 (excluding)
cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools