GHSA-8FM5-V3C4-VRMQ

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-26 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xdp, net: Fix use-after-free in bpf_xdp_link_release

The problem occurs between dev_get_by_index() and dev_xdp_attach_link(). At this point, dev_xdp_uninstall() is called. Then xdp link will not be detached automatically when dev is released. But link->dev already points to dev, when xdp link is released, dev will still be accessed, but dev has been released.

dev_get_by_index() | link->dev = dev | | rtnl_lock() | unregister_netdevice_many() | dev_xdp_uninstall() | rtnl_unlock() rtnl_lock(); | dev_xdp_attach_link() | rtnl_unlock(); | | netdev_run_todo() // dev released bpf_xdp_link_release() | / access dev. | use-after-free / |

[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0 [ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732 [ 45.968297] [ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22 [ 45.969222] Hardware name: linux,dummy-virt (DT) [ 45.969795] Call trace: [ 45.970106] dump_backtrace+0x0/0x4c8 [ 45.970564] show_stack+0x30/0x40 [ 45.970981] dump_stack_lvl+0x120/0x18c [ 45.971470] print_address_description.constprop.0+0x74/0x30c [ 45.972182] kasan_report+0x1e8/0x200 [ 45.972659] __asan_report_load8_noabort+0x2c/0x50 [ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.973834] bpf_link_free+0xd0/0x188 [ 45.974315] bpf_link_put+0x1d0/0x218 [ 45.974790] bpf_link_release+0x3c/0x58 [ 45.975291] __fput+0x20c/0x7e8 [ 45.975706] _fput+0x24/0x30 [ 45.976117] taskwork_run+0x104/0x258 [ 45.976609] do_notify_resume+0x894/0xaf8 [ 45.977121] work_pending+0xc/0x328 [ 45.977575] [ 45.977775] The buggy address belongs to the page: [ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998 [ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff) [ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000 [ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 45.982259] page dumped because: kasan: bad access detected [ 45.982948] [ 45.983153] Memory state around the buggy address: [ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.986419] ^ [ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988895] ================================================================== [ 45.989773] Disabling lock debugging due to kernel taint [ 45.990552] Kernel panic - not syncing: panic_on_warn set ... [ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22 [ 45.991929] Hardware name: linux,dummy-virt (DT) [ 45.992448] Call trace: [ 45.992753] dump_backtrace+0x0/0x4c8 [ 45.993208] show_stack+0x30/0x40 [ 45.993627] dump_stack_lvl+0x120/0x18c [ 45.994113] dump_stack+0x1c/0x34 [ 45.994530] panic+0x3a4/0x7d8 [ 45.994930] end_report+0x194/0x198 [ 45.995380] kasan_report+0x134/0x200 [ 45.995850] asan_report_load8_noabort+0x2c/0x50 [ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0 [ 45.997007] bpf_link_free+0xd0/0x188 [ 45.997474] bpf_link_put+0x1d0/0x218 [ 45.997942] bpf_link_release+0x3c/0x58 [ 45.998429] __fput+0x20c/0x7e8 [ 45.998833] ____fput+0x24/0x30 [ 45.999247] task_work_run+0x104/0x258 [ 45.999731] do_notify_resume+0x894/0xaf8 [ 46.000236] work_pending ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp, net: Fix use-after-free in bpf_xdp_link_release\n\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\ndetached automatically when dev is released. But link-\u003edev already\npoints to dev, when xdp link is released, dev will still be accessed,\nbut dev has been released.\n\ndev_get_by_index()        |\nlink-\u003edev = dev           |\n                          |      rtnl_lock()\n                          |      unregister_netdevice_many()\n                          |          dev_xdp_uninstall()\n                          |      rtnl_unlock()\nrtnl_lock();              |\ndev_xdp_attach_link()     |\nrtnl_unlock();            |\n                          |      netdev_run_todo() // dev released\nbpf_xdp_link_release()    |\n    /* access dev.        |\n       use-after-free */  |\n\n[   45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\n[   45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\n[   45.968297]\n[   45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\n[   45.969222] Hardware name: linux,dummy-virt (DT)\n[   45.969795] Call trace:\n[   45.970106]  dump_backtrace+0x0/0x4c8\n[   45.970564]  show_stack+0x30/0x40\n[   45.970981]  dump_stack_lvl+0x120/0x18c\n[   45.971470]  print_address_description.constprop.0+0x74/0x30c\n[   45.972182]  kasan_report+0x1e8/0x200\n[   45.972659]  __asan_report_load8_noabort+0x2c/0x50\n[   45.973273]  bpf_xdp_link_release+0x3b8/0x3d0\n[   45.973834]  bpf_link_free+0xd0/0x188\n[   45.974315]  bpf_link_put+0x1d0/0x218\n[   45.974790]  bpf_link_release+0x3c/0x58\n[   45.975291]  __fput+0x20c/0x7e8\n[   45.975706]  ____fput+0x24/0x30\n[   45.976117]  task_work_run+0x104/0x258\n[   45.976609]  do_notify_resume+0x894/0xaf8\n[   45.977121]  work_pending+0xc/0x328\n[   45.977575]\n[   45.977775] The buggy address belongs to the page:\n[   45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\n[   45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\n[   45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\n[   45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[   45.982259] page dumped because: kasan: bad access detected\n[   45.982948]\n[   45.983153] Memory state around the buggy address:\n[   45.983753]  ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[   45.984645]  ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.985533] \u003effff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.986419]                                               ^\n[   45.987112]  ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.988006]  ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[   45.988895] ==================================================================\n[   45.989773] Disabling lock debugging due to kernel taint\n[   45.990552] Kernel panic - not syncing: panic_on_warn set ...\n[   45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G    B             5.13.0+ #22\n[   45.991929] Hardware name: linux,dummy-virt (DT)\n[   45.992448] Call trace:\n[   45.992753]  dump_backtrace+0x0/0x4c8\n[   45.993208]  show_stack+0x30/0x40\n[   45.993627]  dump_stack_lvl+0x120/0x18c\n[   45.994113]  dump_stack+0x1c/0x34\n[   45.994530]  panic+0x3a4/0x7d8\n[   45.994930]  end_report+0x194/0x198\n[   45.995380]  kasan_report+0x134/0x200\n[   45.995850]  __asan_report_load8_noabort+0x2c/0x50\n[   45.996453]  bpf_xdp_link_release+0x3b8/0x3d0\n[   45.997007]  bpf_link_free+0xd0/0x188\n[   45.997474]  bpf_link_put+0x1d0/0x218\n[   45.997942]  bpf_link_release+0x3c/0x58\n[   45.998429]  __fput+0x20c/0x7e8\n[   45.998833]  ____fput+0x24/0x30\n[   45.999247]  task_work_run+0x104/0x258\n[   45.999731]  do_notify_resume+0x894/0xaf8\n[   46.000236]  work_pending\n---truncated---",
  "id": "GHSA-8fm5-v3c4-vrmq",
  "modified": "2024-12-26T21:30:35Z",
  "published": "2024-05-21T15:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47299"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…