7.8

CVE-2021-47012

RDMA/siw: Fix a use after free in siw_alloc_mr

In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix a use after free in siw_alloc_mr

Our code analyzer reported a UAF.

In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of
siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via
kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a
freed object. After, the execution continue up to the err_out branch of
siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).

My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {}
section, to avoid the uaf.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.3 < 5.4.119
LinuxLinux Kernel Version >= 5.5 < 5.10.37
LinuxLinux Kernel Version >= 5.11 < 5.11.21
LinuxLinux Kernel Version >= 5.12 < 5.12.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.182
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63
Patch
https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4
Patch
https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4
Patch
https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c
Patch
https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155
Patch