CVE-2021-46933
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/02/2024
Last modified:
22/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.<br />
<br />
ffs_data_clear is indirectly called from both ffs_fs_kill_sb and<br />
ffs_ep0_release, so it ends up being called twice when userland closes ep0<br />
and then unmounts f_fs.<br />
If userland provided an eventfd along with function&#39;s USB descriptors, it<br />
ends up calling eventfd_ctx_put as many times, causing a refcount<br />
underflow.<br />
NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.<br />
<br />
Also, set epfiles to NULL right after de-allocating it, for readability.<br />
<br />
For completeness, ffs_data_clear actually ends up being called thrice, the<br />
last call being before the whole ffs structure gets freed, so when this<br />
specific sequence happens there is a second underflow happening (but not<br />
being reported):<br />
<br />
/sys/kernel/debug/tracing# modprobe usb_f_fs<br />
/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter<br />
/sys/kernel/debug/tracing# echo function > current_tracer<br />
/sys/kernel/debug/tracing# echo 1 > tracing_on<br />
(setup gadget, run and kill function userland process, teardown gadget)<br />
/sys/kernel/debug/tracing# echo 0 > tracing_on<br />
/sys/kernel/debug/tracing# cat trace<br />
smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.0.0 (including) | 4.4.298 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.5.0 (including) | 4.9.296 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10.0 (including) | 4.14.261 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15.0 (including) | 4.19.224 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20.0 (including) | 5.4.170 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5.0 (including) | 5.10.90 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11.0 (including) | 5.15.13 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645
- https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee
- https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b
- https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09
- https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154
- https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919
- https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684
- https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa
- https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645
- https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee
- https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b
- https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09
- https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154
- https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919
- https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684
- https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa