CVE-2021-47589

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47589
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47589.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47589
Related
Published
2024-06-19T15:15:53Z
Modified
2024-09-18T03:18:54.393762Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

igbvf: fix double free in igbvf_probe

In igbvf_probe, if registernetdev() fails, the program will go to label errhwinit, and then to label errioremap. In freenetdev() which is just below label errioremap, there is list_for_each_entry_safe and netif_napi_del which aims to delete all entries in dev->napi_list. The program has added an entry adapter->rx_ring->napi which is added by netif_napi_add in igbvfallocqueues(). However, adapter->rxring has been freed below label errhw_init. So this a UAF.

In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before adapter->rx_ring.

The KASAN logs are as follows:

[ 35.126075] BUG: KASAN: use-after-free in freenetdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dumpstacklvl+0x59/0x7b [ 35.132865] printaddressdescription+0x7c/0x3b0 [ 35.133707] ? freenetdev+0x1fd/0x450 [ 35.134378] kasanreport+0x160/0x1c0 [ 35.135063] ? freenetdev+0x1fd/0x450 [ 35.135738] kasanreport+0x4b/0x70 [ 35.136367] freenetdev+0x1fd/0x450 [ 35.137006] igbvfprobe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvfvlanrxaddvid+0x100/0x100 [igbvf] [ 35.138751] localpciprobe+0x13c/0x1f0 [ 35.139461] pcideviceprobe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] _kasankmalloc+0xc4/0xf0 [ 35.167117] fookmemcachealloctrace+0x3c/0x50 [igbvf] [ 35.168078] igbvfprobe+0x9c5/0x1a10 [igbvf] [ 35.168866] localpciprobe+0x13c/0x1f0 [ 35.169565] pcideviceprobe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasansettrack+0x4c/0x80 [ 35.181211] kasansetfreeinfo+0x1f/0x40 [ 35.181942] __kasanslabfree+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvfprobe+0x1173/0x1a10 [igbvf] [ 35.184040] localpciprobe+0x13c/0x1f0

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.92-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}