5.5
CVE-2021-46988
- EPSS 0.24%
- Veröffentlicht 28.02.2024 09:15:37
- Zuletzt bearbeitet 26.12.2024 15:01:37
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
userfaultfd: release page in error path to avoid BUG_ON
In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUG_ON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 4.11 < 4.14.233
Linux ≫ Linux Kernel Version >= 4.15 < 4.19.191
Linux ≫ Linux Kernel Version >= 4.20 < 5.4.120
Linux ≫ Linux Kernel Version >= 5.5 < 5.10.38
Linux ≫ Linux Kernel Version >= 5.11 < 5.11.22
Linux ≫ Linux Kernel Version >= 5.12 < 5.12.5
Linux ≫ Linux Kernel Version5.13 Updaterc1
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.148 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/07c9b834c97d0fa3402fb7f3f3b32df370a6ff1f
https://git.kernel.org/stable/c/140cfd9980124aecb6c03ef2e69c72d0548744de
https://git.kernel.org/stable/c/2d59a0ed8b26b8f3638d8afc31f839e27759f1f6
https://git.kernel.org/stable/c/319116227e52d49eee671f0aa278bac89b3c1b69
https://git.kernel.org/stable/c/7ed9d238c7dbb1fdb63ad96a6184985151b0171c
https://git.kernel.org/stable/c/ad53127973034c63b5348715a1043d0e80ceb330
https://git.kernel.org/stable/c/b3f1731c6d7fbc1ebe3ed8eff6d6bec56d76ff43