CVE-2021-47375
- Source
- https://cve.org/CVERecord?id=CVE-2021-47375
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47375.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-47375
- Downstream
- Related
- Published
- 2024-05-21T15:15:23.290Z
- Modified
- 2026-03-14T11:19:07.904072Z
- Severity
-
- 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
blktrace: Fix uaf in blk_trace access after removing by sysfs
There is an use-after-free problem triggered by following process:
P1(sda) P2(sdb) echo 0 > /sys/block/sdb/trace/enable blk_trace_remove_queue synchronize_rcu blk_trace_free relay_closercureadlock __blkaddtrace tracenotetsk (Iterate runningtracelist) relayclosebuf relaydestroybuf kfree(buf) tracenote(sdb's bt) relayreserve buf->offset <- nullptr deference (use-after-free) !!! rcureadunlock
[ 502.714379] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 502.715260] #PF: supervisor read access in kernel mode [ 502.715903] #PF: errorcode(0x0000) - not-present page [ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Oops: 0000 [#1] SMP [ 502.720308] RIP: 0010:tracenote.isra.0+0x86/0x360 [ 502.732872] Call Trace: [ 502.733193] _blkaddtrace.cold+0x137/0x1a3 [ 502.733734] blkaddtracerq+0x7b/0xd0 [ 502.734207] blkaddtracerqissue+0x54/0xa0 [ 502.734755] blkmqstartrequest+0xde/0x1b0 [ 502.735287] scsiqueuerq+0x528/0x1140 ... [ 502.742704] sgnewwrite.isra.0+0x16e/0x3e0 [ 502.747501] sgioctl+0x466/0x1100
Reproduce method: ioctl(/dev/sda, BLKTRACESETUP, blkusertracesetup[bufsize=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blkusertracesetup[bufsize=127]) ioctl(/dev/sdb, BLKTRACESTART)
echo 0 > /sys/block/sdb/trace/enable & // Add delay(mdelay/msleep) before kernel enters blktracefree()
ioctl$SGIO(/dev/sda, SGIO, ...) // Enters tracenotetsk() after blktracefree() returned // Use mdelay in rcu region rather than msleep(which may schedule out)
Remove blktrace from runninglist before calling blktracefree() by sysfs if blktrace is at Blktracerunning state.
- References
-
- https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069
- https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee
- https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5
- https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9
- https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222
- https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26
- https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40
- https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269
Affected packages
Git /
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "2.6.30"
},
{
"fixed": "4.4.286"
}
]
},
{
"events": [
{
"introduced": "4.5"
},
{
"fixed": "4.9.285"
}
]
},
{
"events": [
{
"introduced": "4.10"
},
{
"fixed": "4.14.249"
}
]
},
{
"events": [
{
"introduced": "4.15"
},
{
"fixed": "4.19.209"
}
]
},
{
"events": [
{
"introduced": "4.20"
},
{
"fixed": "5.4.150"
}
]
},
{
"events": [
{
"introduced": "5.5"
},
{
"fixed": "5.10.70"
}
]
},
{
"events": [
{
"introduced": "5.11"
},
{
"fixed": "5.14.9"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.15-rc1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.15-rc2"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47375.json"