CVE-2021-46988

EPSS 0.01%
Published 28.02.2024 09:15:37
Last modified 26.12.2024 15:01:37
Source 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Open
Login

In the Linux kernel, the following vulnerability has been resolved:

userfaultfd: release page in error path to avoid BUG_ON

Consider the following sequence of events:

1. Userspace issues a UFFD ioctl, which ends up calling into
   shmem_mfill_atomic_pte(). We successfully account the blocks, we
   shmem_alloc_page(), but then the copy_from_user() fails. We return
   -ENOENT. We don't release the page we allocated.
2. Our caller detects this error code, tries the copy_from_user() after
   dropping the mmap_lock, and retries, calling back into
   shmem_mfill_atomic_pte().
3. Meanwhile, let's say another process filled up the tmpfs being used.
4. So shmem_mfill_atomic_pte() fails to account blocks this time, and
   immediately returns - without releasing the page.

This triggers a BUG_ON in our caller, which asserts that the page
should always be consumed, unless -ENOENT is returned.

To fix this, detect if we have such a "dangling" page when accounting
fails, and if so, release it before returning.

Affected products Warnungen 0 Metrics 2 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.11 < 4.14.233

Linux ≫ Linux Kernel Version >= 4.15 < 4.19.191

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.120

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.38

Linux ≫ Linux Kernel Version >= 5.11 < 5.11.22

Linux ≫ Linux Kernel Version >= 5.12 < 5.12.5

Linux ≫ Linux Kernel Version5.13 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.01%	0.012

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/07c9b834c97d0fa3402fb7f3f3b32df370a6ff1f

Patch

https://git.kernel.org/stable/c/140cfd9980124aecb6c03ef2e69c72d0548744de

Patch

https://git.kernel.org/stable/c/2d59a0ed8b26b8f3638d8afc31f839e27759f1f6

Patch

https://git.kernel.org/stable/c/319116227e52d49eee671f0aa278bac89b3c1b69

Patch

https://git.kernel.org/stable/c/7ed9d238c7dbb1fdb63ad96a6184985151b0171c

Patch

https://git.kernel.org/stable/c/ad53127973034c63b5348715a1043d0e80ceb330

Patch