CVE-2021-47379
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
21/05/2024
Last modified:
23/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd<br />
<br />
KASAN reports a use-after-free report when doing fuzz test:<br />
<br />
[693354.104835] ==================================================================<br />
[693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160<br />
[693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338<br />
<br />
[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147<br />
[693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018<br />
[693354.105612] Call Trace:<br />
[693354.105621] dump_stack+0xf1/0x19b<br />
[693354.105626] ? show_regs_print_info+0x5/0x5<br />
[693354.105634] ? printk+0x9c/0xc3<br />
[693354.105638] ? cpumask_weight+0x1f/0x1f<br />
[693354.105648] print_address_description+0x70/0x360<br />
[693354.105654] kasan_report+0x1b2/0x330<br />
[693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160<br />
[693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160<br />
[693354.105670] bfq_io_set_weight_legacy+0xd3/0x160<br />
[693354.105675] ? bfq_cpd_init+0x20/0x20<br />
[693354.105683] cgroup_file_write+0x3aa/0x510<br />
[693354.105693] ? ___slab_alloc+0x507/0x540<br />
[693354.105698] ? cgroup_file_poll+0x60/0x60<br />
[693354.105702] ? 0xffffffff89600000<br />
[693354.105708] ? usercopy_abort+0x90/0x90<br />
[693354.105716] ? mutex_lock+0xef/0x180<br />
[693354.105726] kernfs_fop_write+0x1ab/0x280<br />
[693354.105732] ? cgroup_file_poll+0x60/0x60<br />
[693354.105738] vfs_write+0xe7/0x230<br />
[693354.105744] ksys_write+0xb0/0x140<br />
[693354.105749] ? __ia32_sys_read+0x50/0x50<br />
[693354.105760] do_syscall_64+0x112/0x370<br />
[693354.105766] ? syscall_return_slowpath+0x260/0x260<br />
[693354.105772] ? do_page_fault+0x9b/0x270<br />
[693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0<br />
[693354.105784] ? enter_from_user_mode+0x30/0x30<br />
[693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca<br />
<br />
[693354.105875] Allocated by task 1453337:<br />
[693354.106001] kasan_kmalloc+0xa0/0xd0<br />
[693354.106006] kmem_cache_alloc_node_trace+0x108/0x220<br />
[693354.106010] bfq_pd_alloc+0x96/0x120<br />
[693354.106015] blkcg_activate_policy+0x1b7/0x2b0<br />
[693354.106020] bfq_create_group_hierarchy+0x1e/0x80<br />
[693354.106026] bfq_init_queue+0x678/0x8c0<br />
[693354.106031] blk_mq_init_sched+0x1f8/0x460<br />
[693354.106037] elevator_switch_mq+0xe1/0x240<br />
[693354.106041] elevator_switch+0x25/0x40<br />
[693354.106045] elv_iosched_store+0x1a1/0x230<br />
[693354.106049] queue_attr_store+0x78/0xb0<br />
[693354.106053] kernfs_fop_write+0x1ab/0x280<br />
[693354.106056] vfs_write+0xe7/0x230<br />
[693354.106060] ksys_write+0xb0/0x140<br />
[693354.106064] do_syscall_64+0x112/0x370<br />
[693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca<br />
<br />
[693354.106114] Freed by task 1453336:<br />
[693354.106225] __kasan_slab_free+0x130/0x180<br />
[693354.106229] kfree+0x90/0x1b0<br />
[693354.106233] blkcg_deactivate_policy+0x12c/0x220<br />
[693354.106238] bfq_exit_queue+0xf5/0x110<br />
[693354.106241] blk_mq_exit_sched+0x104/0x130<br />
[693354.106245] __elevator_exit+0x45/0x60<br />
[693354.106249] elevator_switch_mq+0xd6/0x240<br />
[693354.106253] elevator_switch+0x25/0x40<br />
[693354.106257] elv_iosched_store+0x1a1/0x230<br />
[693354.106261] queue_attr_store+0x78/0xb0<br />
[693354.106264] kernfs_fop_write+0x1ab/0x280<br />
[693354.106268] vfs_write+0xe7/0x230<br />
[693354.106271] ksys_write+0xb0/0x140<br />
[693354.106275] do_syscall_64+0x112/0x370<br />
[693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca<br />
<br />
[693354.106329] The buggy address belongs to the object at ffff888be0a35580<br />
which belongs to the cache kmalloc-1k of size 1024<br />
[693354.106736] The buggy address is located 228 bytes inside of<br />
1024-byte region [ffff888be0a35580, ffff888be0a35980)<br />
[693354.107114] The buggy address belongs to the page:<br />
[693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0<br />
[693354.107606] flags: 0x17ffffc0008100(slab|head)<br />
[693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080<br />
[693354.108020] r<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.150 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.70 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.14.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/7c2c69e010431b0157c9454adcdd2305809bf9fb
- https://git.kernel.org/stable/c/858560b27645e7e97aca37ee8f232cccd658fbd2
- https://git.kernel.org/stable/c/d12ddd843f1877de1f7dd2aeea4907cf9ff3ac08
- https://git.kernel.org/stable/c/f58d305887ad7b24986d58e881f6806bb81b2bdf
- https://git.kernel.org/stable/c/7c2c69e010431b0157c9454adcdd2305809bf9fb
- https://git.kernel.org/stable/c/858560b27645e7e97aca37ee8f232cccd658fbd2
- https://git.kernel.org/stable/c/d12ddd843f1877de1f7dd2aeea4907cf9ff3ac08
- https://git.kernel.org/stable/c/f58d305887ad7b24986d58e881f6806bb81b2bdf