CVE-2021-47375

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47375
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47375.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47375
Related
Published
2024-05-21T15:15:23Z
Modified
2024-10-27T16:49:22.326414Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

blktrace: Fix uaf in blk_trace access after removing by sysfs

There is an use-after-free problem triggered by following process:

  P1(sda)               P2(sdb)
        echo 0 > /sys/block/sdb/trace/enable
          blk_trace_remove_queue
            synchronize_rcu
            blk_trace_free
              relay_close

rcureadlock _blkaddtrace tracenotetsk (Iterate runningtracelist) relayclosebuf relaydestroybuf kfree(buf) tracenote(sdb's bt) relayreserve buf->offset <- nullptr deference (use-after-free) !!! rcuread_unlock

[ 502.714379] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 502.715260] #PF: supervisor read access in kernel mode [ 502.715903] #PF: errorcode(0x0000) - not-present page [ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Oops: 0000 [#1] SMP [ 502.720308] RIP: 0010:tracenote.isra.0+0x86/0x360 [ 502.732872] Call Trace: [ 502.733193] _blkaddtrace.cold+0x137/0x1a3 [ 502.733734] blkaddtracerq+0x7b/0xd0 [ 502.734207] blkaddtracerqissue+0x54/0xa0 [ 502.734755] blkmqstartrequest+0xde/0x1b0 [ 502.735287] scsiqueuerq+0x528/0x1140 ... [ 502.742704] sgnewwrite.isra.0+0x16e/0x3e0 [ 502.747501] sgioctl+0x466/0x1100

Reproduce method: ioctl(/dev/sda, BLKTRACESETUP, blkusertracesetup[bufsize=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blkusertracesetup[bufsize=127]) ioctl(/dev/sdb, BLKTRACESTART)

echo 0 > /sys/block/sdb/trace/enable & // Add delay(mdelay/msleep) before kernel enters blktracefree()

ioctl$SGIO(/dev/sda, SGIO, ...) // Enters tracenotetsk() after blktracefree() returned // Use mdelay in rcu region rather than msleep(which may schedule out)

Remove blktrace from runninglist before calling blktracefree() by sysfs if blktrace is at Blktracerunning state.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.70-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}