GHSA-8FM5-V3C4-VRMQ
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-26 21:30In the Linux kernel, the following vulnerability has been resolved:
xdp, net: Fix use-after-free in bpf_xdp_link_release
The problem occurs between dev_get_by_index() and dev_xdp_attach_link(). At this point, dev_xdp_uninstall() is called. Then xdp link will not be detached automatically when dev is released. But link->dev already points to dev, when xdp link is released, dev will still be accessed, but dev has been released.
dev_get_by_index() | link->dev = dev | | rtnl_lock() | unregister_netdevice_many() | dev_xdp_uninstall() | rtnl_unlock() rtnl_lock(); | dev_xdp_attach_link() | rtnl_unlock(); | | netdev_run_todo() // dev released bpf_xdp_link_release() | / access dev. | use-after-free / |
[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0 [ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732 [ 45.968297] [ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22 [ 45.969222] Hardware name: linux,dummy-virt (DT) [ 45.969795] Call trace: [ 45.970106] dump_backtrace+0x0/0x4c8 [ 45.970564] show_stack+0x30/0x40 [ 45.970981] dump_stack_lvl+0x120/0x18c [ 45.971470] print_address_description.constprop.0+0x74/0x30c [ 45.972182] kasan_report+0x1e8/0x200 [ 45.972659] __asan_report_load8_noabort+0x2c/0x50 [ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.973834] bpf_link_free+0xd0/0x188 [ 45.974315] bpf_link_put+0x1d0/0x218 [ 45.974790] bpf_link_release+0x3c/0x58 [ 45.975291] __fput+0x20c/0x7e8 [ 45.975706] _fput+0x24/0x30 [ 45.976117] taskwork_run+0x104/0x258 [ 45.976609] do_notify_resume+0x894/0xaf8 [ 45.977121] work_pending+0xc/0x328 [ 45.977575] [ 45.977775] The buggy address belongs to the page: [ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998 [ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff) [ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000 [ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 45.982259] page dumped because: kasan: bad access detected [ 45.982948] [ 45.983153] Memory state around the buggy address: [ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.986419] ^ [ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988895] ================================================================== [ 45.989773] Disabling lock debugging due to kernel taint [ 45.990552] Kernel panic - not syncing: panic_on_warn set ... [ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22 [ 45.991929] Hardware name: linux,dummy-virt (DT) [ 45.992448] Call trace: [ 45.992753] dump_backtrace+0x0/0x4c8 [ 45.993208] show_stack+0x30/0x40 [ 45.993627] dump_stack_lvl+0x120/0x18c [ 45.994113] dump_stack+0x1c/0x34 [ 45.994530] panic+0x3a4/0x7d8 [ 45.994930] end_report+0x194/0x198 [ 45.995380] kasan_report+0x134/0x200 [ 45.995850] asan_report_load8_noabort+0x2c/0x50 [ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.997007] bpf_link_free+0xd0/0x188 [ 45.997474] bpf_link_put+0x1d0/0x218 [ 45.997942] bpf_link_release+0x3c/0x58 [ 45.998429] __fput+0x20c/0x7e8 [ 45.998833] ____fput+0x24/0x30 [ 45.999247] task_work_run+0x104/0x258 [ 45.999731] do_notify_resume+0x894/0xaf8 [ 46.000236] work_pending ---truncated---
{
"affected": [],
"aliases": [
"CVE-2021-47299"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp, net: Fix use-after-free in bpf_xdp_link_release\n\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\ndetached automatically when dev is released. But link-\u003edev already\npoints to dev, when xdp link is released, dev will still be accessed,\nbut dev has been released.\n\ndev_get_by_index() |\nlink-\u003edev = dev |\n | rtnl_lock()\n | unregister_netdevice_many()\n | dev_xdp_uninstall()\n | rtnl_unlock()\nrtnl_lock(); |\ndev_xdp_attach_link() |\nrtnl_unlock(); |\n | netdev_run_todo() // dev released\nbpf_xdp_link_release() |\n /* access dev. |\n use-after-free */ |\n\n[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\n[ 45.968297]\n[ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\n[ 45.969222] Hardware name: linux,dummy-virt (DT)\n[ 45.969795] Call trace:\n[ 45.970106] dump_backtrace+0x0/0x4c8\n[ 45.970564] show_stack+0x30/0x40\n[ 45.970981] dump_stack_lvl+0x120/0x18c\n[ 45.971470] print_address_description.constprop.0+0x74/0x30c\n[ 45.972182] kasan_report+0x1e8/0x200\n[ 45.972659] __asan_report_load8_noabort+0x2c/0x50\n[ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.973834] bpf_link_free+0xd0/0x188\n[ 45.974315] bpf_link_put+0x1d0/0x218\n[ 45.974790] bpf_link_release+0x3c/0x58\n[ 45.975291] __fput+0x20c/0x7e8\n[ 45.975706] ____fput+0x24/0x30\n[ 45.976117] task_work_run+0x104/0x258\n[ 45.976609] do_notify_resume+0x894/0xaf8\n[ 45.977121] work_pending+0xc/0x328\n[ 45.977575]\n[ 45.977775] The buggy address belongs to the page:\n[ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\n[ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\n[ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\n[ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 45.982259] page dumped because: kasan: bad access detected\n[ 45.982948]\n[ 45.983153] Memory state around the buggy address:\n[ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.985533] \u003effff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.986419] ^\n[ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.988895] ==================================================================\n[ 45.989773] Disabling lock debugging due to kernel taint\n[ 45.990552] Kernel panic - not syncing: panic_on_warn set ...\n[ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22\n[ 45.991929] Hardware name: linux,dummy-virt (DT)\n[ 45.992448] Call trace:\n[ 45.992753] dump_backtrace+0x0/0x4c8\n[ 45.993208] show_stack+0x30/0x40\n[ 45.993627] dump_stack_lvl+0x120/0x18c\n[ 45.994113] dump_stack+0x1c/0x34\n[ 45.994530] panic+0x3a4/0x7d8\n[ 45.994930] end_report+0x194/0x198\n[ 45.995380] kasan_report+0x134/0x200\n[ 45.995850] __asan_report_load8_noabort+0x2c/0x50\n[ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.997007] bpf_link_free+0xd0/0x188\n[ 45.997474] bpf_link_put+0x1d0/0x218\n[ 45.997942] bpf_link_release+0x3c/0x58\n[ 45.998429] __fput+0x20c/0x7e8\n[ 45.998833] ____fput+0x24/0x30\n[ 45.999247] task_work_run+0x104/0x258\n[ 45.999731] do_notify_resume+0x894/0xaf8\n[ 46.000236] work_pending\n---truncated---",
"id": "GHSA-8fm5-v3c4-vrmq",
"modified": "2024-12-26T21:30:35Z",
"published": "2024-05-21T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47299"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.