CVE-2021-47505

EPSS 0.02%
Veröffentlicht 24.05.2024 15:15:11
Zuletzt bearbeitet 10.01.2025 18:00:30
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

aio: fix use-after-free due to missing POLLFREE handling

signalfd_poll() and binder_poll() are special in that they use a
waitqueue whose lifetime is the current task, rather than the struct
file as is normally the case.  This is okay for blocking polls, since a
blocking poll occurs within one task; however, non-blocking polls
require another solution.  This solution is for the queue to be cleared
before it is freed, by sending a POLLFREE notification to all waiters.

Unfortunately, only eventpoll handles POLLFREE.  A second type of
non-blocking poll, aio poll, was added in kernel v4.18, and it doesn't
handle POLLFREE.  This allows a use-after-free to occur if a signalfd or
binder fd is polled with aio poll, and the waitqueue gets freed.

Fix this by making aio poll handle POLLFREE.

A patch by Ramji Jiyani <ramjiyani@google.com>
(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)
tried to do this by making aio_poll_wake() always complete the request
inline if POLLFREE is seen.  However, that solution had two bugs.
First, it introduced a deadlock, as it unconditionally locked the aio
context while holding the waitqueue lock, which inverts the normal
locking order.  Second, it didn't consider that POLLFREE notifications
are missed while the request has been temporarily de-queued.

The second problem was solved by my previous patch.  This patch then
properly fixes the use-after-free by handling POLLFREE in a
deadlock-free way.  It does this by taking advantage of the fact that
freeing of the waitqueue is RCU-delayed, similar to what eventpoll does.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.18 < 4.19.221

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.165

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.85

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.8

Linux ≫ Linux Kernel Version5.16 Updaterc1

Linux ≫ Linux Kernel Version5.16 Updaterc2

Linux ≫ Linux Kernel Version5.16 Updaterc3

Linux ≫ Linux Kernel Version5.16 Updaterc4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.037

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/321fba81ec034f88aea4898993c1bf15605c023f

Patch

https://git.kernel.org/stable/c/4105e6a128e8a98455dfc9e6dbb2ab0c33c4497f

Patch

https://git.kernel.org/stable/c/47ffefd88abfffe8a040bcc1dd0554d4ea6f7689

Patch

https://git.kernel.org/stable/c/50252e4b5e989ce64555c7aef7516bdefc2fea72

Patch

https://git.kernel.org/stable/c/60d311f9e6381d779d7d53371f87285698ecee24

Patch

https://nvd.nist.gov/vuln/detail/CVE-2021-47505

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-47505

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-47505

EUVD