| A race condition vulnerability was discovered in the Linux kernel's userfaultfd implementation, specifically between the `writeprotect` and `exit_mmap()` functions. This issue arises when a process exits, its VMAs (Virtual Memory Areas) are removed by `exit_mmap()`, and simultaneously, `userfaultfd_writeprotect()` is called. |
| |
| The race condition was detected by KASAN (Kernel Address Space Layout Randomization) on a development kernel but is also possible on vanilla kernels. To fix this issue, the `mmget_not_zero()` function is used to prevent the race, similar to other userfaultfd operations. This vulnerability has been assigned CVE-2021-47461. |
| |
| The affected versions of the Linux kernel are 5.7 and later, introduced by commit 63b2d4174c4a. The fix was applied in versions 5.10.76 (commit 3cda4bfffd4f), 5.14.15 (commit 149958ecd062), and 5.15 (commit cb185d5f1ebf). To mitigate this issue, the Linux kernel CVE team recommends updating to the latest stable kernel version. If updating is not possible, individual changes can be found in the specified commits. |
| |
