Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47299

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
21/05/2024
Last modified:
26/12/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xdp, net: Fix use-after-free in bpf_xdp_link_release<br /> <br /> The problem occurs between dev_get_by_index() and dev_xdp_attach_link().<br /> At this point, dev_xdp_uninstall() is called. Then xdp link will not be<br /> detached automatically when dev is released. But link-&gt;dev already<br /> points to dev, when xdp link is released, dev will still be accessed,<br /> but dev has been released.<br /> <br /> dev_get_by_index() |<br /> link-&gt;dev = dev |<br /> | rtnl_lock()<br /> | unregister_netdevice_many()<br /> | dev_xdp_uninstall()<br /> | rtnl_unlock()<br /> rtnl_lock(); |<br /> dev_xdp_attach_link() |<br /> rtnl_unlock(); |<br /> | netdev_run_todo() // dev released<br /> bpf_xdp_link_release() |<br /> /* access dev. |<br /> use-after-free */ |<br /> <br /> [ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0<br /> [ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732<br /> [ 45.968297]<br /> [ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22<br /> [ 45.969222] Hardware name: linux,dummy-virt (DT)<br /> [ 45.969795] Call trace:<br /> [ 45.970106] dump_backtrace+0x0/0x4c8<br /> [ 45.970564] show_stack+0x30/0x40<br /> [ 45.970981] dump_stack_lvl+0x120/0x18c<br /> [ 45.971470] print_address_description.constprop.0+0x74/0x30c<br /> [ 45.972182] kasan_report+0x1e8/0x200<br /> [ 45.972659] __asan_report_load8_noabort+0x2c/0x50<br /> [ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0<br /> [ 45.973834] bpf_link_free+0xd0/0x188<br /> [ 45.974315] bpf_link_put+0x1d0/0x218<br /> [ 45.974790] bpf_link_release+0x3c/0x58<br /> [ 45.975291] __fput+0x20c/0x7e8<br /> [ 45.975706] ____fput+0x24/0x30<br /> [ 45.976117] task_work_run+0x104/0x258<br /> [ 45.976609] do_notify_resume+0x894/0xaf8<br /> [ 45.977121] work_pending+0xc/0x328<br /> [ 45.977575]<br /> [ 45.977775] The buggy address belongs to the page:<br /> [ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998<br /> [ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)<br /> [ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000<br /> [ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000<br /> [ 45.982259] page dumped because: kasan: bad access detected<br /> [ 45.982948]<br /> [ 45.983153] Memory state around the buggy address:<br /> [ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> [ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> [ 45.985533] &gt;ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> [ 45.986419] ^<br /> [ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> [ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> [ 45.988895] ==================================================================<br /> [ 45.989773] Disabling lock debugging due to kernel taint<br /> [ 45.990552] Kernel panic - not syncing: panic_on_warn set ...<br /> [ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22<br /> [ 45.991929] Hardware name: linux,dummy-virt (DT)<br /> [ 45.992448] Call trace:<br /> [ 45.992753] dump_backtrace+0x0/0x4c8<br /> [ 45.993208] show_stack+0x30/0x40<br /> [ 45.993627] dump_stack_lvl+0x120/0x18c<br /> [ 45.994113] dump_stack+0x1c/0x34<br /> [ 45.994530] panic+0x3a4/0x7d8<br /> [ 45.994930] end_report+0x194/0x198<br /> [ 45.995380] kasan_report+0x134/0x200<br /> [ 45.995850] __asan_report_load8_noabort+0x2c/0x50<br /> [ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0<br /> [ 45.997007] bpf_link_free+0xd0/0x188<br /> [ 45.997474] bpf_link_put+0x1d0/0x218<br /> [ 45.997942] bpf_link_release+0x3c/0x58<br /> [ 45.998429] __fput+0x20c/0x7e8<br /> [ 45.998833] ____fput+0x24/0x30<br /> [ 45.999247] task_work_run+0x104/0x258<br /> [ 45.999731] do_notify_resume+0x894/0xaf8<br /> [ 46.000236] work_pending<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.9 (including) 5.10.54 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.13.6 (excluding)
cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools