CVE-2021-47589
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-47589
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47589.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-47589
- Related
- Published
- 2024-06-19T15:15:53Z
- Modified
- 2024-09-18T03:18:54.393762Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
igbvf: fix double free in
igbvf_probeIn
igbvf_probe, if registernetdev() fails, the program will go to label errhwinit, and then to label errioremap. In freenetdev() which is just below label errioremap, there islist_for_each_entry_safeandnetif_napi_delwhich aims to delete all entries indev->napi_list. The program has added an entryadapter->rx_ring->napiwhich is added bynetif_napi_addin igbvfallocqueues(). However, adapter->rxring has been freed below label errhw_init. So this a UAF.In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before
adapter->rx_ring.The KASAN logs are as follows:
[ 35.126075] BUG: KASAN: use-after-free in freenetdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dumpstacklvl+0x59/0x7b [ 35.132865] printaddressdescription+0x7c/0x3b0 [ 35.133707] ? freenetdev+0x1fd/0x450 [ 35.134378] kasanreport+0x160/0x1c0 [ 35.135063] ? freenetdev+0x1fd/0x450 [ 35.135738] kasanreport+0x4b/0x70 [ 35.136367] freenetdev+0x1fd/0x450 [ 35.137006] igbvfprobe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvfvlanrxaddvid+0x100/0x100 [igbvf] [ 35.138751] localpciprobe+0x13c/0x1f0 [ 35.139461] pcideviceprobe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] _kasankmalloc+0xc4/0xf0 [ 35.167117] fookmemcachealloctrace+0x3c/0x50 [igbvf] [ 35.168078] igbvfprobe+0x9c5/0x1a10 [igbvf] [ 35.168866] localpciprobe+0x13c/0x1f0 [ 35.169565] pcideviceprobe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasansettrack+0x4c/0x80 [ 35.181211] kasansetfreeinfo+0x1f/0x40 [ 35.181942] __kasanslabfree+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvfprobe+0x1173/0x1a10 [igbvf] [ 35.184040] localpciprobe+0x13c/0x1f0
- References
-
- https://git.kernel.org/stable/c/74a16e062b23332d8db017ff4a41e16279c44411
- https://git.kernel.org/stable/c/79d9b092035dcdbe636b70433149df9cc6db1e49
- https://git.kernel.org/stable/c/8addba6cab94ce01686ea2e80ed1530f9dc33a9a
- https://git.kernel.org/stable/c/8d0c927a9fb2b4065230936b77b54f857a3754fc
- https://git.kernel.org/stable/c/944b8be08131f5faf2cd2440aa1c24a39a163a54
- https://git.kernel.org/stable/c/b6d335a60dc624c0d279333b22c737faa765b028
- https://git.kernel.org/stable/c/cc9b655bb84f1be283293dfea94dff9a31b106ac
- https://git.kernel.org/stable/c/ffe1695b678729edec04037e691007900a2b2beb
- https://security-tracker.debian.org/tracker/CVE-2021-47589
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source