CVE-2021-47505
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
24/05/2024
Last modified:
10/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
aio: fix use-after-free due to missing POLLFREE handling<br />
<br />
signalfd_poll() and binder_poll() are special in that they use a<br />
waitqueue whose lifetime is the current task, rather than the struct<br />
file as is normally the case. This is okay for blocking polls, since a<br />
blocking poll occurs within one task; however, non-blocking polls<br />
require another solution. This solution is for the queue to be cleared<br />
before it is freed, by sending a POLLFREE notification to all waiters.<br />
<br />
Unfortunately, only eventpoll handles POLLFREE. A second type of<br />
non-blocking poll, aio poll, was added in kernel v4.18, and it doesn&#39;t<br />
handle POLLFREE. This allows a use-after-free to occur if a signalfd or<br />
binder fd is polled with aio poll, and the waitqueue gets freed.<br />
<br />
Fix this by making aio poll handle POLLFREE.<br />
<br />
A patch by Ramji Jiyani <br />
(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)<br />
tried to do this by making aio_poll_wake() always complete the request<br />
inline if POLLFREE is seen. However, that solution had two bugs.<br />
First, it introduced a deadlock, as it unconditionally locked the aio<br />
context while holding the waitqueue lock, which inverts the normal<br />
locking order. Second, it didn&#39;t consider that POLLFREE notifications<br />
are missed while the request has been temporarily de-queued.<br />
<br />
The second problem was solved by my previous patch. This patch then<br />
properly fixes the use-after-free by handling POLLFREE in a<br />
deadlock-free way. It does this by taking advantage of the fact that<br />
freeing of the waitqueue is RCU-delayed, similar to what eventpoll does.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.18 (including) | 4.19.221 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.165 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.85 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.8 (excluding) |
cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/321fba81ec034f88aea4898993c1bf15605c023f
- https://git.kernel.org/stable/c/4105e6a128e8a98455dfc9e6dbb2ab0c33c4497f
- https://git.kernel.org/stable/c/47ffefd88abfffe8a040bcc1dd0554d4ea6f7689
- https://git.kernel.org/stable/c/50252e4b5e989ce64555c7aef7516bdefc2fea72
- https://git.kernel.org/stable/c/60d311f9e6381d779d7d53371f87285698ecee24
- https://git.kernel.org/stable/c/321fba81ec034f88aea4898993c1bf15605c023f
- https://git.kernel.org/stable/c/4105e6a128e8a98455dfc9e6dbb2ab0c33c4497f
- https://git.kernel.org/stable/c/47ffefd88abfffe8a040bcc1dd0554d4ea6f7689
- https://git.kernel.org/stable/c/50252e4b5e989ce64555c7aef7516bdefc2fea72
- https://git.kernel.org/stable/c/60d311f9e6381d779d7d53371f87285698ecee24