Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47196

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
10/04/2024
Last modified:
03/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/core: Set send and receive CQ before forwarding to the driver<br /> <br /> Preset both receive and send CQ pointers prior to call to the drivers and<br /> overwrite it later again till the mlx4 is going to be changed do not<br /> overwrite ibqp properties.<br /> <br /> This change is needed for mlx5, because in case of QP creation failure, it<br /> will go to the path of QP destroy which relies on proper CQ pointers.<br /> <br /> BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]<br /> Write of size 8 at addr ffff8880064c55c0 by task a.out/246<br /> <br /> CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> dump_stack_lvl+0x45/0x59<br /> print_address_description.constprop.0+0x1f/0x140<br /> kasan_report.cold+0x83/0xdf<br /> create_qp.cold+0x164/0x16e [mlx5_ib]<br /> mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]<br /> create_qp.part.0+0x45b/0x6a0 [ib_core]<br /> ib_create_qp_user+0x97/0x150 [ib_core]<br /> ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]<br /> ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]<br /> __x64_sys_ioctl+0x866/0x14d0<br /> do_syscall_64+0x3d/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Allocated by task 246:<br /> kasan_save_stack+0x1b/0x40<br /> __kasan_kmalloc+0xa4/0xd0<br /> create_qp.part.0+0x92/0x6a0 [ib_core]<br /> ib_create_qp_user+0x97/0x150 [ib_core]<br /> ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]<br /> ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]<br /> __x64_sys_ioctl+0x866/0x14d0<br /> do_syscall_64+0x3d/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Freed by task 246:<br /> kasan_save_stack+0x1b/0x40<br /> kasan_set_track+0x1c/0x30<br /> kasan_set_free_info+0x20/0x30<br /> __kasan_slab_free+0x10c/0x150<br /> slab_free_freelist_hook+0xb4/0x1b0<br /> kfree+0xe7/0x2a0<br /> create_qp.part.0+0x52b/0x6a0 [ib_core]<br /> ib_create_qp_user+0x97/0x150 [ib_core]<br /> ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]<br /> ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]<br /> __x64_sys_ioctl+0x866/0x14d0<br /> do_syscall_64+0x3d/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15 (including) 5.15.5 (excluding)
cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools