Описание
In the Linux kernel, the following vulnerability has been resolved:
hamradio: defer ax25 kfree after unregister_netdev
There is a possible race condition (use-after-free) like below
(USE) | (FREE) ax25_sendmsg | ax25_queue_xmit | dev_queue_xmit | __dev_queue_xmit | __dev_xmit_skb | sch_direct_xmit | ... xmit_one | netdev_start_xmit | tty_ldisc_kill __netdev_start_xmit | mkiss_close ax_xmit | kfree ax_encaps | |
Even though there are two synchronization primitives before the kfree:
-
wait_for_completion(&ax->dead). This can prevent the race with routines from mkiss_ioctl. However, it cannot stop the routine coming from upper layer, i.e., the ax25_sendmsg.
-
netif_stop_queue(ax->dev). It seems that this line of code aims to halt the transmit queue but it fails to ...
In the Linux kernel, the following vulnerability has been resolved:
hamradio: defer ax25 kfree after unregister_netdev
There is a possible race condition (use-after-free) like below
(USE) | (FREE) ax25_sendmsg | ax25_queue_xmit | dev_queue_xmit | __dev_queue_xmit | __dev_xmit_skb | sch_direct_xmit | ... xmit_one | netdev_start_xmit | tty_ldisc_kill __netdev_start_xmit | mkiss_close ax_xmit | kfree ax_encaps | |
Even though there are two synchronization primitives before the kfree:
-
wait_for_completion(&ax->dead). This can prevent the race with routines from mkiss_ioctl. However, it cannot stop the routine coming from upper layer, i.e., the ax25_sendmsg.
-
netif_stop_queue(ax->dev). It seems that this line of code aims to halt the transmit queue but it fails to stop the routine that already being xmit.
This patch reorder the kfree after the unregister_netdev to avoid the possible UAF as the unregister_netdev() is well synchronized and won't return if there is a running routine.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-47084
- https://git.kernel.org/stable/c/3e0588c291d6ce225f2b891753ca41d45ba42469
- https://git.kernel.org/stable/c/450121075a6a6f1d50f97225d3396315309d61a1
- https://git.kernel.org/stable/c/896193a02a2981e60c40d4614fd095ce92135ccd
- https://git.kernel.org/stable/c/8a1a314965a17c62084a056b4f2cb7a770854c90
- https://git.kernel.org/stable/c/b5b193d0c67180fefdc664650138e3b7959df615
- https://git.kernel.org/stable/c/cb6c99aedd2c843056a598a8907a6128cb07603b
- https://git.kernel.org/stable/c/eaa816a86e629cbcc0a94f38391fee09231628c7
- https://git.kernel.org/stable/c/ef5f7bfa19e3fc366f4c6d1a841ceaddf7a9f5d4
CVE ID
Связанные уязвимости
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
[REJECTED CVE] In the Linux kernel, the following vulnerability has been resolved: hamradio: defer ax25 kfree after unregister_netdev The Linux kernel CVE team has assigned CVE-2021-47084 to this issue.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.