CVE-2021-47299 (GCVE-0-2021-47299)

Vulnerability from cvelistv5 – Published: 2024-05-21 14:35 – Updated: 2026-05-11 13:51
VLAI
Title
xdp, net: Fix use-after-free in bpf_xdp_link_release
Summary
In the Linux kernel, the following vulnerability has been resolved: xdp, net: Fix use-after-free in bpf_xdp_link_release The problem occurs between dev_get_by_index() and dev_xdp_attach_link(). At this point, dev_xdp_uninstall() is called. Then xdp link will not be detached automatically when dev is released. But link->dev already points to dev, when xdp link is released, dev will still be accessed, but dev has been released. dev_get_by_index() | link->dev = dev | | rtnl_lock() | unregister_netdevice_many() | dev_xdp_uninstall() | rtnl_unlock() rtnl_lock(); | dev_xdp_attach_link() | rtnl_unlock(); | | netdev_run_todo() // dev released bpf_xdp_link_release() | /* access dev. | use-after-free */ | [ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0 [ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732 [ 45.968297] [ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22 [ 45.969222] Hardware name: linux,dummy-virt (DT) [ 45.969795] Call trace: [ 45.970106] dump_backtrace+0x0/0x4c8 [ 45.970564] show_stack+0x30/0x40 [ 45.970981] dump_stack_lvl+0x120/0x18c [ 45.971470] print_address_description.constprop.0+0x74/0x30c [ 45.972182] kasan_report+0x1e8/0x200 [ 45.972659] __asan_report_load8_noabort+0x2c/0x50 [ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.973834] bpf_link_free+0xd0/0x188 [ 45.974315] bpf_link_put+0x1d0/0x218 [ 45.974790] bpf_link_release+0x3c/0x58 [ 45.975291] __fput+0x20c/0x7e8 [ 45.975706] ____fput+0x24/0x30 [ 45.976117] task_work_run+0x104/0x258 [ 45.976609] do_notify_resume+0x894/0xaf8 [ 45.977121] work_pending+0xc/0x328 [ 45.977575] [ 45.977775] The buggy address belongs to the page: [ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998 [ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff) [ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000 [ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 45.982259] page dumped because: kasan: bad access detected [ 45.982948] [ 45.983153] Memory state around the buggy address: [ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.986419] ^ [ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988895] ================================================================== [ 45.989773] Disabling lock debugging due to kernel taint [ 45.990552] Kernel panic - not syncing: panic_on_warn set ... [ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22 [ 45.991929] Hardware name: linux,dummy-virt (DT) [ 45.992448] Call trace: [ 45.992753] dump_backtrace+0x0/0x4c8 [ 45.993208] show_stack+0x30/0x40 [ 45.993627] dump_stack_lvl+0x120/0x18c [ 45.994113] dump_stack+0x1c/0x34 [ 45.994530] panic+0x3a4/0x7d8 [ 45.994930] end_report+0x194/0x198 [ 45.995380] kasan_report+0x134/0x200 [ 45.995850] __asan_report_load8_noabort+0x2c/0x50 [ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.997007] bpf_link_free+0xd0/0x188 [ 45.997474] bpf_link_put+0x1d0/0x218 [ 45.997942] bpf_link_release+0x3c/0x58 [ 45.998429] __fput+0x20c/0x7e8 [ 45.998833] ____fput+0x24/0x30 [ 45.999247] task_work_run+0x104/0x258 [ 45.999731] do_notify_resume+0x894/0xaf8 [ 46.000236] work_pending ---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: aa8d3a716b59db6c1ad6c68fb8aa05e31980da60 , < ca9ba1de8f09976b45ccc8e655c51c6201992139 (git)
Affected: aa8d3a716b59db6c1ad6c68fb8aa05e31980da60 , < a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6 (git)
Affected: aa8d3a716b59db6c1ad6c68fb8aa05e31980da60 , < 5acc7d3e8d342858405fbbc671221f676b547ce7 (git)
Create a notification for this product.
Linux Linux Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.10.54 , ≤ 5.10.* (semver)
Unaffected: 5.13.6 , ≤ 5.13.* (semver)
Unaffected: 5.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:08.438Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47299",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:39:22.390022Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:55.680Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca9ba1de8f09976b45ccc8e655c51c6201992139",
              "status": "affected",
              "version": "aa8d3a716b59db6c1ad6c68fb8aa05e31980da60",
              "versionType": "git"
            },
            {
              "lessThan": "a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6",
              "status": "affected",
              "version": "aa8d3a716b59db6c1ad6c68fb8aa05e31980da60",
              "versionType": "git"
            },
            {
              "lessThan": "5acc7d3e8d342858405fbbc671221f676b547ce7",
              "status": "affected",
              "version": "aa8d3a716b59db6c1ad6c68fb8aa05e31980da60",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.13.*",
              "status": "unaffected",
              "version": "5.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.54",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13.6",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.14",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp, net: Fix use-after-free in bpf_xdp_link_release\n\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\ndetached automatically when dev is released. But link-\u003edev already\npoints to dev, when xdp link is released, dev will still be accessed,\nbut dev has been released.\n\ndev_get_by_index()        |\nlink-\u003edev = dev           |\n                          |      rtnl_lock()\n                          |      unregister_netdevice_many()\n                          |          dev_xdp_uninstall()\n                          |      rtnl_unlock()\nrtnl_lock();              |\ndev_xdp_attach_link()     |\nrtnl_unlock();            |\n                          |      netdev_run_todo() // dev released\nbpf_xdp_link_release()    |\n    /* access dev.        |\n       use-after-free */  |\n\n[   45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\n[   45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\n[   45.968297]\n[   45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\n[   45.969222] Hardware name: linux,dummy-virt (DT)\n[   45.969795] Call trace:\n[   45.970106]  dump_backtrace+0x0/0x4c8\n[   45.970564]  show_stack+0x30/0x40\n[   45.970981]  dump_stack_lvl+0x120/0x18c\n[   45.971470]  print_address_description.constprop.0+0x74/0x30c\n[   45.972182]  kasan_report+0x1e8/0x200\n[   45.972659]  __asan_report_load8_noabort+0x2c/0x50\n[   45.973273]  bpf_xdp_link_release+0x3b8/0x3d0\n[   45.973834]  bpf_link_free+0xd0/0x188\n[   45.974315]  bpf_link_put+0x1d0/0x218\n[   45.974790]  bpf_link_release+0x3c/0x58\n[   45.975291]  __fput+0x20c/0x7e8\n[   45.975706]  ____fput+0x24/0x30\n[   45.976117]  task_work_run+0x104/0x258\n[   45.976609]  do_notify_resume+0x894/0xaf8\n[   45.977121]  work_pending+0xc/0x328\n[   45.977575]\n[   45.977775] The buggy address belongs to the page:\n[   45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\n[   45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\n[   45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\n[   45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[   45.982259] page dumped because: kasan: bad access detected\n[   45.982948]\n[   45.983153] Memory state around the buggy address:\n[   45.983753]  ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[   45.984645]  ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.985533] \u003effff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.986419]                                               ^\n[   45.987112]  ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.988006]  ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.988895] ==================================================================\n[   45.989773] Disabling lock debugging due to kernel taint\n[   45.990552] Kernel panic - not syncing: panic_on_warn set ...\n[   45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G    B             5.13.0+ #22\n[   45.991929] Hardware name: linux,dummy-virt (DT)\n[   45.992448] Call trace:\n[   45.992753]  dump_backtrace+0x0/0x4c8\n[   45.993208]  show_stack+0x30/0x40\n[   45.993627]  dump_stack_lvl+0x120/0x18c\n[   45.994113]  dump_stack+0x1c/0x34\n[   45.994530]  panic+0x3a4/0x7d8\n[   45.994930]  end_report+0x194/0x198\n[   45.995380]  kasan_report+0x134/0x200\n[   45.995850]  __asan_report_load8_noabort+0x2c/0x50\n[   45.996453]  bpf_xdp_link_release+0x3b8/0x3d0\n[   45.997007]  bpf_link_free+0xd0/0x188\n[   45.997474]  bpf_link_put+0x1d0/0x218\n[   45.997942]  bpf_link_release+0x3c/0x58\n[   45.998429]  __fput+0x20c/0x7e8\n[   45.998833]  ____fput+0x24/0x30\n[   45.999247]  task_work_run+0x104/0x258\n[   45.999731]  do_notify_resume+0x894/0xaf8\n[   46.000236]  work_pending\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T13:51:48.198Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6"
        },
        {
          "url": "https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7"
        }
      ],
      "title": "xdp, net: Fix use-after-free in bpf_xdp_link_release",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47299",
    "datePublished": "2024-05-21T14:35:21.276Z",
    "dateReserved": "2024-05-21T13:27:52.132Z",
    "dateUpdated": "2026-05-11T13:51:48.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-47299",
      "date": "2026-07-16",
      "epss": "0.00226",
      "percentile": "0.1322"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.9\", \"versionEndExcluding\": \"5.10.54\", \"matchCriteriaId\": \"4A97ECD5-9A3B-4EE9-A36C-902077EAD62D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.11\", \"versionEndExcluding\": \"5.13.6\", \"matchCriteriaId\": \"512C22FC-1524-4E6F-9E62-4F4B7B6E0576\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"71268287-21A8-4488-AA4F-23C473153131\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:5.14:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"23B9E5C6-FAB5-4A02-9E39-27C8787B0991\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp, net: Fix use-after-free in bpf_xdp_link_release\\n\\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\\ndetached automatically when dev is released. But link-\u003edev already\\npoints to dev, when xdp link is released, dev will still be accessed,\\nbut dev has been released.\\n\\ndev_get_by_index()        |\\nlink-\u003edev = dev           |\\n                          |      rtnl_lock()\\n                          |      unregister_netdevice_many()\\n                          |          dev_xdp_uninstall()\\n                          |      rtnl_unlock()\\nrtnl_lock();              |\\ndev_xdp_attach_link()     |\\nrtnl_unlock();            |\\n                          |      netdev_run_todo() // dev released\\nbpf_xdp_link_release()    |\\n    /* access dev.        |\\n       use-after-free */  |\\n\\n[   45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\\n[   45.968297]\\n[   45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\\n[   45.969222] Hardware name: linux,dummy-virt (DT)\\n[   45.969795] Call trace:\\n[   45.970106]  dump_backtrace+0x0/0x4c8\\n[   45.970564]  show_stack+0x30/0x40\\n[   45.970981]  dump_stack_lvl+0x120/0x18c\\n[   45.971470]  print_address_description.constprop.0+0x74/0x30c\\n[   45.972182]  kasan_report+0x1e8/0x200\\n[   45.972659]  __asan_report_load8_noabort+0x2c/0x50\\n[   45.973273]  bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.973834]  bpf_link_free+0xd0/0x188\\n[   45.974315]  bpf_link_put+0x1d0/0x218\\n[   45.974790]  bpf_link_release+0x3c/0x58\\n[   45.975291]  __fput+0x20c/0x7e8\\n[   45.975706]  ____fput+0x24/0x30\\n[   45.976117]  task_work_run+0x104/0x258\\n[   45.976609]  do_notify_resume+0x894/0xaf8\\n[   45.977121]  work_pending+0xc/0x328\\n[   45.977575]\\n[   45.977775] The buggy address belongs to the page:\\n[   45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\\n[   45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\\n[   45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\\n[   45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\\n[   45.982259] page dumped because: kasan: bad access detected\\n[   45.982948]\\n[   45.983153] Memory state around the buggy address:\\n[   45.983753]  ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n[   45.984645]  ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.985533] \u003effff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.986419]                                               ^\\n[   45.987112]  ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.988006]  ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.988895] ==================================================================\\n[   45.989773] Disabling lock debugging due to kernel taint\\n[   45.990552] Kernel panic - not syncing: panic_on_warn set ...\\n[   45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G    B             5.13.0+ #22\\n[   45.991929] Hardware name: linux,dummy-virt (DT)\\n[   45.992448] Call trace:\\n[   45.992753]  dump_backtrace+0x0/0x4c8\\n[   45.993208]  show_stack+0x30/0x40\\n[   45.993627]  dump_stack_lvl+0x120/0x18c\\n[   45.994113]  dump_stack+0x1c/0x34\\n[   45.994530]  panic+0x3a4/0x7d8\\n[   45.994930]  end_report+0x194/0x198\\n[   45.995380]  kasan_report+0x134/0x200\\n[   45.995850]  __asan_report_load8_noabort+0x2c/0x50\\n[   45.996453]  bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.997007]  bpf_link_free+0xd0/0x188\\n[   45.997474]  bpf_link_put+0x1d0/0x218\\n[   45.997942]  bpf_link_release+0x3c/0x58\\n[   45.998429]  __fput+0x20c/0x7e8\\n[   45.998833]  ____fput+0x24/0x30\\n[   45.999247]  task_work_run+0x104/0x258\\n[   45.999731]  do_notify_resume+0x894/0xaf8\\n[   46.000236]  work_pending\\n---truncated---\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se resolvi\\u00f3 la siguiente vulnerabilidad: xdp, net: corrige use-after-free en bpf_xdp_link_release. El problema ocurre entre dev_get_by_index() y dev_xdp_attach_link(). En este punto, se llama a dev_xdp_uninstall(). Entonces el enlace xdp no se desconectar\\u00e1 autom\\u00e1ticamente cuando se libere el desarrollador. Pero link-\u0026gt;dev ya apunta a dev, cuando se libera el enlace xdp, se seguir\\u00e1 accediendo a dev, pero se ha liberado. dev_get_by_index() | enlace-\u0026gt;dev = dev | | rtnl_lock() | unregister_netdevice_many() | dev_xdp_uninstall() | rtnl_unlock() rtnl_lock(); | dev_xdp_attach_link() | rtnl_unlock(); | | netdev_run_todo() // desarrollador liberado bpf_xdp_link_release() | /* accede al desarrollador. | use after free */ | [45.966867] BUG: KASAN: use after free en bpf_xdp_link_release+0x3b8/0x3d0 [45.967619] Lectura del tama\\u00f1o 8 en la direcci\\u00f3n ffff00000f9980c8 por tarea a.out/732 [45.968297] [45.968502] CPU: 1 PID: Comunicaciones 732: un .out No contaminado 5.13.0+ #22 [ 45.969222] Nombre de hardware: linux,dummy-virt (DT) [ 45.969795] Seguimiento de llamadas: [ 45.970106] dump_backtrace+0x0/0x4c8 [ 45.970564] show_stack+0x30/0x40 [ 45.970981 ] dump_stack_lvl +0x120/0x18c [ 45.971470] print_address_description.constprop.0+0x74/0x30c [ 45.972182] kasan_report+0x1e8/0x200 [ 45.972659] __asan_report_load8_noabort+0x2c/0x50 [ 45.97327 3] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.973834] bpf_link_free+0xd0/0x188 [ 45.974315 ] bpf_link_put+0x1d0/0x218 [ 45.974790] bpf_link_release+0x3c/0x58 [ 45.975291] __fput+0x20c/0x7e8 [ 45.975706] ____fput+0x24/0x30 [ 45.976117] 104/0x258 [ 45.976609] do_notify_resume+0x894/0xaf8 [ 45.977121] work_pending +0xc/0x328 [ 45.977575] [ 45.977775] La direcci\\u00f3n del error pertenece a la p\\u00e1gina: [ 45.978369] p\\u00e1gina:fffffc00003e6600 refcount:0 mapcount:0 mapeo:00000000000000000 index:0x0 pfn:0x4f998 [ 45.97952 2] banderas: 0x7fffe0000000000(nodo=0| zona=0|lastcpupid=0x3ffff) [ 45.980349] raw: 07fffe0000000000 ffffc00003e6708 ffff0000dac3c010 0000000000000000 [ 45.981309] raw: 0000000000000000 000000000000000 00000000ffffffff 0000000000000000 [ 45.982259] p\\u00e1gina volcada porque: kasan: mal acceso detectado [ 45.982948] [ 45.983153] Estado de la memoria alrededor de la direcci\\u00f3n con errores : [ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.985533] \u0026gt;ffff00000f998080:ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.986419] ^ [ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988006] f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988895] ===================================== ============================== [ 45.989773] Deshabilitar la depuraci\\u00f3n de bloqueo debido a corrupci\\u00f3n del kernel [ 45.990552] P\\u00e1nico del kernel - no sincronizar: panic_on_warn establecido... [ 45.991166] CPU: 1 PID: 732 Comm: a.out Contaminado: GB 5.13.0+ #22 [ 45.991929] Nombre de hardware: linux,dummy-virt (DT) [ 45.992448] Seguimiento de llamadas: [ 45.992753] dump_backtrace+0x0/0x4c8 [ 45.993208] show_stack+0x30/0x40 [ 45.993627] dump_stack_lvl+0x120/0x18c [ 45.994113] dump_stack+0x1c/0x34 [ 45.994530 panic+0x3a4/0x7d 8 [ 45.994930] end_report+0x194/0x198 [ 45.995380] kasan_report+ 0x134/0x200 [ 45.995850] __asan_report_load8_noabort+0x2c/0x50 [ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.997007] bpf_link_free+0xd0/0x188 [ 45.99747 4] bpf_link_put+0x1d0/0x218 [ 45.997942] bpf_link_release+0x3c/0x58 [ 45.998429] __fput+0x20c/ 0x7e8 [ 45.998833] ____fput+0x24/0x30 [ 45.999247] task_work_run+0x104/0x258 [ 45.999731] do_notify_resume+0x894/0xaf8 [ 46.000236] work_pending ---truncado---\"}]",
      "id": "CVE-2021-47299",
      "lastModified": "2024-12-26T20:43:42.353",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-05-21T15:15:17.743",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47299\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T15:15:17.743\",\"lastModified\":\"2026-06-17T04:17:08.247\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp, net: Fix use-after-free in bpf_xdp_link_release\\n\\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\\ndetached automatically when dev is released. But link-\u003edev already\\npoints to dev, when xdp link is released, dev will still be accessed,\\nbut dev has been released.\\n\\ndev_get_by_index()        |\\nlink-\u003edev = dev           |\\n                          |      rtnl_lock()\\n                          |      unregister_netdevice_many()\\n                          |          dev_xdp_uninstall()\\n                          |      rtnl_unlock()\\nrtnl_lock();              |\\ndev_xdp_attach_link()     |\\nrtnl_unlock();            |\\n                          |      netdev_run_todo() // dev released\\nbpf_xdp_link_release()    |\\n    /* access dev.        |\\n       use-after-free */  |\\n\\n[   45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\\n[   45.968297]\\n[   45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\\n[   45.969222] Hardware name: linux,dummy-virt (DT)\\n[   45.969795] Call trace:\\n[   45.970106]  dump_backtrace+0x0/0x4c8\\n[   45.970564]  show_stack+0x30/0x40\\n[   45.970981]  dump_stack_lvl+0x120/0x18c\\n[   45.971470]  print_address_description.constprop.0+0x74/0x30c\\n[   45.972182]  kasan_report+0x1e8/0x200\\n[   45.972659]  __asan_report_load8_noabort+0x2c/0x50\\n[   45.973273]  bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.973834]  bpf_link_free+0xd0/0x188\\n[   45.974315]  bpf_link_put+0x1d0/0x218\\n[   45.974790]  bpf_link_release+0x3c/0x58\\n[   45.975291]  __fput+0x20c/0x7e8\\n[   45.975706]  ____fput+0x24/0x30\\n[   45.976117]  task_work_run+0x104/0x258\\n[   45.976609]  do_notify_resume+0x894/0xaf8\\n[   45.977121]  work_pending+0xc/0x328\\n[   45.977575]\\n[   45.977775] The buggy address belongs to the page:\\n[   45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\\n[   45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\\n[   45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\\n[   45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\\n[   45.982259] page dumped because: kasan: bad access detected\\n[   45.982948]\\n[   45.983153] Memory state around the buggy address:\\n[   45.983753]  ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n[   45.984645]  ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.985533] \u003effff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.986419]                                               ^\\n[   45.987112]  ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.988006]  ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.988895] ==================================================================\\n[   45.989773] Disabling lock debugging due to kernel taint\\n[   45.990552] Kernel panic - not syncing: panic_on_warn set ...\\n[   45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G    B             5.13.0+ #22\\n[   45.991929] Hardware name: linux,dummy-virt (DT)\\n[   45.992448] Call trace:\\n[   45.992753]  dump_backtrace+0x0/0x4c8\\n[   45.993208]  show_stack+0x30/0x40\\n[   45.993627]  dump_stack_lvl+0x120/0x18c\\n[   45.994113]  dump_stack+0x1c/0x34\\n[   45.994530]  panic+0x3a4/0x7d8\\n[   45.994930]  end_report+0x194/0x198\\n[   45.995380]  kasan_report+0x134/0x200\\n[   45.995850]  __asan_report_load8_noabort+0x2c/0x50\\n[   45.996453]  bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.997007]  bpf_link_free+0xd0/0x188\\n[   45.997474]  bpf_link_put+0x1d0/0x218\\n[   45.997942]  bpf_link_release+0x3c/0x58\\n[   45.998429]  __fput+0x20c/0x7e8\\n[   45.998833]  ____fput+0x24/0x30\\n[   45.999247]  task_work_run+0x104/0x258\\n[   45.999731]  do_notify_resume+0x894/0xaf8\\n[   46.000236]  work_pending\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: xdp, net: corrige use-after-free en bpf_xdp_link_release. El problema ocurre entre dev_get_by_index() y dev_xdp_attach_link(). En este punto, se llama a dev_xdp_uninstall(). Entonces el enlace xdp no se desconectar\u00e1 autom\u00e1ticamente cuando se libere el desarrollador. Pero link-\u0026gt;dev ya apunta a dev, cuando se libera el enlace xdp, se seguir\u00e1 accediendo a dev, pero se ha liberado. dev_get_by_index() | enlace-\u0026gt;dev = dev | | rtnl_lock() | unregister_netdevice_many() | dev_xdp_uninstall() | rtnl_unlock() rtnl_lock(); | dev_xdp_attach_link() | rtnl_unlock(); | | netdev_run_todo() // desarrollador liberado bpf_xdp_link_release() | /* accede al desarrollador. | use after free */ | [45.966867] BUG: KASAN: use after free en bpf_xdp_link_release+0x3b8/0x3d0 [45.967619] Lectura del tama\u00f1o 8 en la direcci\u00f3n ffff00000f9980c8 por tarea a.out/732 [45.968297] [45.968502] CPU: 1 PID: Comunicaciones 732: un .out No contaminado 5.13.0+ #22 [ 45.969222] Nombre de hardware: linux,dummy-virt (DT) [ 45.969795] Seguimiento de llamadas: [ 45.970106] dump_backtrace+0x0/0x4c8 [ 45.970564] show_stack+0x30/0x40 [ 45.970981 ] dump_stack_lvl +0x120/0x18c [ 45.971470] print_address_description.constprop.0+0x74/0x30c [ 45.972182] kasan_report+0x1e8/0x200 [ 45.972659] __asan_report_load8_noabort+0x2c/0x50 [ 45.97327 3] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.973834] bpf_link_free+0xd0/0x188 [ 45.974315 ] bpf_link_put+0x1d0/0x218 [ 45.974790] bpf_link_release+0x3c/0x58 [ 45.975291] __fput+0x20c/0x7e8 [ 45.975706] ____fput+0x24/0x30 [ 45.976117] 104/0x258 [ 45.976609] do_notify_resume+0x894/0xaf8 [ 45.977121] work_pending +0xc/0x328 [ 45.977575] [ 45.977775] La direcci\u00f3n del error pertenece a la p\u00e1gina: [ 45.978369] p\u00e1gina:fffffc00003e6600 refcount:0 mapcount:0 mapeo:00000000000000000 index:0x0 pfn:0x4f998 [ 45.97952 2] banderas: 0x7fffe0000000000(nodo=0| zona=0|lastcpupid=0x3ffff) [ 45.980349] raw: 07fffe0000000000 ffffc00003e6708 ffff0000dac3c010 0000000000000000 [ 45.981309] raw: 0000000000000000 000000000000000 00000000ffffffff 0000000000000000 [ 45.982259] p\u00e1gina volcada porque: kasan: mal acceso detectado [ 45.982948] [ 45.983153] Estado de la memoria alrededor de la direcci\u00f3n con errores : [ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.985533] \u0026gt;ffff00000f998080:ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.986419] ^ [ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988006] f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988895] ===================================== ============================== [ 45.989773] Deshabilitar la depuraci\u00f3n de bloqueo debido a corrupci\u00f3n del kernel [ 45.990552] P\u00e1nico del kernel - no sincronizar: panic_on_warn establecido... [ 45.991166] CPU: 1 PID: 732 Comm: a.out Contaminado: GB 5.13.0+ #22 [ 45.991929] Nombre de hardware: linux,dummy-virt (DT) [ 45.992448] Seguimiento de llamadas: [ 45.992753] dump_backtrace+0x0/0x4c8 [ 45.993208] show_stack+0x30/0x40 [ 45.993627] dump_stack_lvl+0x120/0x18c [ 45.994113] dump_stack+0x1c/0x34 [ 45.994530 panic+0x3a4/0x7d 8 [ 45.994930] end_report+0x194/0x198 [ 45.995380] kasan_report+ 0x134/0x200 [ 45.995850] __asan_report_load8_noabort+0x2c/0x50 [ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.997007] bpf_link_free+0xd0/0x188 [ 45.99747 4] bpf_link_put+0x1d0/0x218 [ 45.997942] bpf_link_release+0x3c/0x58 [ 45.998429] __fput+0x20c/ 0x7e8 [ 45.998833] ____fput+0x24/0x30 [ 45.999247] task_work_run+0x104/0x258 [ 45.999731] do_notify_resume+0x894/0xaf8 [ 46.000236] work_pending ---truncado---\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/core/dev.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"aa8d3a716b59db6c1ad6c68fb8aa05e31980da60\",\"lessThan\":\"ca9ba1de8f09976b45ccc8e655c51c6201992139\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"aa8d3a716b59db6c1ad6c68fb8aa05e31980da60\",\"lessThan\":\"a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"aa8d3a716b59db6c1ad6c68fb8aa05e31980da60\",\"lessThan\":\"5acc7d3e8d342858405fbbc671221f676b547ce7\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/core/dev.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"5.9\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"5.9\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.54\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.13.6\",\"lessThanOrEqual\":\"5.13.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.14\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2024-09-10T15:39:22.390022Z\",\"id\":\"CVE-2021-47299\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.9\",\"versionEndExcluding\":\"5.10.54\",\"matchCriteriaId\":\"4A97ECD5-9A3B-4EE9-A36C-902077EAD62D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.13.6\",\"matchCriteriaId\":\"512C22FC-1524-4E6F-9E62-4F4B7B6E0576\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"71268287-21A8-4488-AA4F-23C473153131\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"23B9E5C6-FAB5-4A02-9E39-27C8787B0991\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "redhat_vex": {
      "aggregate_severity": "Moderate",
      "current_release_date": "2025-11-21T14:10:30+00:00",
      "cve": "CVE-2021-47299",
      "id": "CVE-2021-47299",
      "initial_release_date": "2021-01-01T00:00:00+00:00",
      "product_status:known_affected": "42",
      "product_status:known_not_affected": "156",
      "source": "Red Hat CSAF VEX",
      "status": "final",
      "title": "kernel: xdp, net: Fix use-after-free in bpf_xdp_link_release",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2021/cve-2021-47299.json",
      "version": "3"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:32:08.438Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47299\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:39:22.390022Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:19.659Z\"}}], \"cna\": {\"title\": \"xdp, net: Fix use-after-free in bpf_xdp_link_release\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"aa8d3a716b59\", \"lessThan\": \"ca9ba1de8f09\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"aa8d3a716b59\", \"lessThan\": \"a7537dc73e69\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"aa8d3a716b59\", \"lessThan\": \"5acc7d3e8d34\", \"versionType\": \"git\"}], \"programFiles\": [\"net/core/dev.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.9\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.9\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"5.10.54\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.13.6\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.13.*\"}, {\"status\": \"unaffected\", \"version\": \"5.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/core/dev.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139\"}, {\"url\": \"https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6\"}, {\"url\": \"https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7\"}], \"x_generator\": {\"engine\": \"bippy-a5840b7849dd\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxdp, net: Fix use-after-free in bpf_xdp_link_release\\n\\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\\ndetached automatically when dev is released. But link-\u003edev already\\npoints to dev, when xdp link is released, dev will still be accessed,\\nbut dev has been released.\\n\\ndev_get_by_index()        |\\nlink-\u003edev = dev           |\\n                          |      rtnl_lock()\\n                          |      unregister_netdevice_many()\\n                          |          dev_xdp_uninstall()\\n                          |      rtnl_unlock()\\nrtnl_lock();              |\\ndev_xdp_attach_link()     |\\nrtnl_unlock();            |\\n                          |      netdev_run_todo() // dev released\\nbpf_xdp_link_release()    |\\n    /* access dev.        |\\n       use-after-free */  |\\n\\n[   45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\\n[   45.968297]\\n[   45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\\n[   45.969222] Hardware name: linux,dummy-virt (DT)\\n[   45.969795] Call trace:\\n[   45.970106]  dump_backtrace+0x0/0x4c8\\n[   45.970564]  show_stack+0x30/0x40\\n[   45.970981]  dump_stack_lvl+0x120/0x18c\\n[   45.971470]  print_address_description.constprop.0+0x74/0x30c\\n[   45.972182]  kasan_report+0x1e8/0x200\\n[   45.972659]  __asan_report_load8_noabort+0x2c/0x50\\n[   45.973273]  bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.973834]  bpf_link_free+0xd0/0x188\\n[   45.974315]  bpf_link_put+0x1d0/0x218\\n[   45.974790]  bpf_link_release+0x3c/0x58\\n[   45.975291]  __fput+0x20c/0x7e8\\n[   45.975706]  ____fput+0x24/0x30\\n[   45.976117]  task_work_run+0x104/0x258\\n[   45.976609]  do_notify_resume+0x894/0xaf8\\n[   45.977121]  work_pending+0xc/0x328\\n[   45.977575]\\n[   45.977775] The buggy address belongs to the page:\\n[   45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\\n[   45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\\n[   45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\\n[   45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\\n[   45.982259] page dumped because: kasan: bad access detected\\n[   45.982948]\\n[   45.983153] Memory state around the buggy address:\\n[   45.983753]  ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n[   45.984645]  ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.985533] \u003effff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.986419]                                               ^\\n[   45.987112]  ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.988006]  ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\\n[   45.988895] ==================================================================\\n[   45.989773] Disabling lock debugging due to kernel taint\\n[   45.990552] Kernel panic - not syncing: panic_on_warn set ...\\n[   45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G    B             5.13.0+ #22\\n[   45.991929] Hardware name: linux,dummy-virt (DT)\\n[   45.992448] Call trace:\\n[   45.992753]  dump_backtrace+0x0/0x4c8\\n[   45.993208]  show_stack+0x30/0x40\\n[   45.993627]  dump_stack_lvl+0x120/0x18c\\n[   45.994113]  dump_stack+0x1c/0x34\\n[   45.994530]  panic+0x3a4/0x7d8\\n[   45.994930]  end_report+0x194/0x198\\n[   45.995380]  kasan_report+0x134/0x200\\n[   45.995850]  __asan_report_load8_noabort+0x2c/0x50\\n[   45.996453]  bpf_xdp_link_release+0x3b8/0x3d0\\n[   45.997007]  bpf_link_free+0xd0/0x188\\n[   45.997474]  bpf_link_put+0x1d0/0x218\\n[   45.997942]  bpf_link_release+0x3c/0x58\\n[   45.998429]  __fput+0x20c/0x7e8\\n[   45.998833]  ____fput+0x24/0x30\\n[   45.999247]  task_work_run+0x104/0x258\\n[   45.999731]  do_notify_resume+0x894/0xaf8\\n[   46.000236]  work_pending\\n---truncated---\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-05-29T05:05:31.530Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47299\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-11T17:33:55.680Z\", \"dateReserved\": \"2024-05-21T13:27:52.132Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-21T14:35:21.276Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…