CVE-2021-47506
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
24/05/2024
Last modified:
06/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nfsd: fix use-after-free due to delegation race<br />
<br />
A delegation break could arrive as soon as we&#39;ve called vfs_setlease. A<br />
delegation break runs a callback which immediately (in<br />
nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we<br />
then exit nfs4_set_delegation without hashing the delegation, it will be<br />
freed as soon as the callback is done with it, without ever being<br />
removed from del_recall_lru.<br />
<br />
Symptoms show up later as use-after-free or list corruption warnings,<br />
usually in the laundromat thread.<br />
<br />
I suspect aba2072f4523 "nfsd: grant read delegations to clients holding<br />
writes" made this bug easier to hit, but I looked as far back as v3.0<br />
and it looks to me it already had the same problem. So I&#39;m not sure<br />
where the bug was introduced; it may have been there from the beginning.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.4.296 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.5 (including) | 4.9.294 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.259 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.222 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.168 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.85 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.8 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce
- https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3
- https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4
- https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee
- https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4
- https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f717833ab5
- https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09
- https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373
- https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce
- https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3
- https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4
- https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee
- https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4
- https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f717833ab5
- https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09
- https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373