CVE-2021-47388
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
21/05/2024
Last modified:
30/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mac80211: fix use-after-free in CCMP/GCMP RX<br />
<br />
When PN checking is done in mac80211, for fragmentation we need<br />
to copy the PN to the RX struct so we can later use it to do a<br />
comparison, since commit bf30ca922a0c ("mac80211: check defrag<br />
PN against current frame").<br />
<br />
Unfortunately, in that commit I used the &#39;hdr&#39; variable without<br />
it being necessarily valid, so use-after-free could occur if it<br />
was necessary to reallocate (parts of) the frame.<br />
<br />
Fix this by reloading the variable after the code that results<br />
in the reallocations, if any.<br />
<br />
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.4.271 (including) | 4.4.286 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.9.271 (including) | 4.9.285 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.14.235 (including) | 4.14.249 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.193 (including) | 4.19.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.124 (including) | 5.4.151 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.42 (including) | 5.10.71 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.12.9 (including) | 5.14.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9
- https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78
- https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd
- https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258
- https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32
- https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0
- https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8
- https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb
- https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9
- https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78
- https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd
- https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258
- https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32
- https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0
- https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8
- https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb