cve/published/2021/CVE-2021-46981.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46981: nbd: Fix NULL pointer in flush_workqueue

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nbd: Fix NULL pointer in flush_workqueue

 Open /dev/nbdX first, the config_refs will be 1 and
 the pointers in nbd_device are still null. Disconnect
 /dev/nbdX, then reference a null recv_workq. The
 protection by config_refs in nbd_genl_disconnect is useless.

 [  656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020
 [  656.368943] #PF: supervisor write access in kernel mode
 [  656.369844] #PF: error_code(0x0002) - not-present page
 [  656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0
 [  656.371693] Oops: 0002 [#1] SMP
 [  656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1
 [  656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
 [  656.375904] RIP: 0010:mutex_lock+0x29/0x60
 [  656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 <f0> 48 0f b1 55 d
 [  656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246
 [  656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
 [  656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020
 [  656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318
 [  656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40
 [  656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00
 [  656.382166] FS:  00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000
 [  656.382806] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [  656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0
 [  656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 [  656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 [  656.384927] Call Trace:
 [  656.385111]  flush_workqueue+0x92/0x6c0
 [  656.385395]  nbd_disconnect_and_put+0x81/0xd0
 [  656.385716]  nbd_genl_disconnect+0x125/0x2a0
 [  656.386034]  genl_family_rcv_msg_doit.isra.0+0x102/0x1b0
 [  656.386422]  genl_rcv_msg+0xfc/0x2b0
 [  656.386685]  ? nbd_ioctl+0x490/0x490
 [  656.386954]  ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0
 [  656.387354]  netlink_rcv_skb+0x62/0x180
 [  656.387638]  genl_rcv+0x34/0x60
 [  656.387874]  netlink_unicast+0x26d/0x590
 [  656.388162]  netlink_sendmsg+0x398/0x6c0
 [  656.388451]  ? netlink_rcv_skb+0x180/0x180
 [  656.388750]  ____sys_sendmsg+0x1da/0x320
 [  656.389038]  ? ____sys_recvmsg+0x130/0x220
 [  656.389334]  ___sys_sendmsg+0x8e/0xf0
 [  656.389605]  ? ___sys_recvmsg+0xa2/0xf0
 [  656.389889]  ? handle_mm_fault+0x1671/0x21d0
 [  656.390201]  __sys_sendmsg+0x6d/0xe0
 [  656.390464]  __x64_sys_sendmsg+0x23/0x30
 [  656.390751]  do_syscall_64+0x45/0x70
 [  656.391017]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put().

 The Linux kernel CVE team has assigned CVE-2021-46981 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.4.120 with commit 1c4962df938891af9ab4775f5224ef8601764107
 	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.10.38 with commit cde4b55cfb24522dcbba80bbdb0c082303e76c43
 	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.11.22 with commit b31d237796fd618379ec8e0f4de3370b5e4aeee7
 	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.12.5 with commit 54b78ba7e96e5fe1edb8054e375d31a6c0dc60dc
 	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.13 with commit 79ebe9110fa458d58f1fceb078e2068d7ad37390
 	Issue introduced in 4.14.149 with commit 0b584bf573ae59021069c056c22d65d5721910cb
 	Issue introduced in 4.19.79 with commit 9f0f39c92e4f50189155dfb13bb5524372e40eba
 	Issue introduced in 5.3.6 with commit 92ec11cccb7fc14331e000ab2337f60aa433433e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46981
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/block/nbd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1c4962df938891af9ab4775f5224ef8601764107
 	https://git.kernel.org/stable/c/cde4b55cfb24522dcbba80bbdb0c082303e76c43
 	https://git.kernel.org/stable/c/b31d237796fd618379ec8e0f4de3370b5e4aeee7
 	https://git.kernel.org/stable/c/54b78ba7e96e5fe1edb8054e375d31a6c0dc60dc
 	https://git.kernel.org/stable/c/79ebe9110fa458d58f1fceb078e2068d7ad37390
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46981: nbd: Fix NULL pointer in flush_workqueue

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nbd: Fix NULL pointer in flush_workqueue

	Open /dev/nbdX first, the config_refs will be 1 and
	the pointers in nbd_device are still null. Disconnect
	/dev/nbdX, then reference a null recv_workq. The
	protection by config_refs in nbd_genl_disconnect is useless.

	[ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020
	[ 656.368943] #PF: supervisor write access in kernel mode
	[ 656.369844] #PF: error_code(0x0002) - not-present page
	[ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0
	[ 656.371693] Oops: 0002 [#1] SMP
	[ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1
	[ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
	[ 656.375904] RIP: 0010:mutex_lock+0x29/0x60
	[ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 <f0> 48 0f b1 55 d
	[ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246
	[ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
	[ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020
	[ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318
	[ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40
	[ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00
	[ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000
	[ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0
	[ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	[ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	[ 656.384927] Call Trace:
	[ 656.385111] flush_workqueue+0x92/0x6c0
	[ 656.385395] nbd_disconnect_and_put+0x81/0xd0
	[ 656.385716] nbd_genl_disconnect+0x125/0x2a0
	[ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0
	[ 656.386422] genl_rcv_msg+0xfc/0x2b0
	[ 656.386685] ? nbd_ioctl+0x490/0x490
	[ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0
	[ 656.387354] netlink_rcv_skb+0x62/0x180
	[ 656.387638] genl_rcv+0x34/0x60
	[ 656.387874] netlink_unicast+0x26d/0x590
	[ 656.388162] netlink_sendmsg+0x398/0x6c0
	[ 656.388451] ? netlink_rcv_skb+0x180/0x180
	[ 656.388750] ____sys_sendmsg+0x1da/0x320
	[ 656.389038] ? ____sys_recvmsg+0x130/0x220
	[ 656.389334] ___sys_sendmsg+0x8e/0xf0
	[ 656.389605] ? ___sys_recvmsg+0xa2/0xf0
	[ 656.389889] ? handle_mm_fault+0x1671/0x21d0
	[ 656.390201] __sys_sendmsg+0x6d/0xe0
	[ 656.390464] __x64_sys_sendmsg+0x23/0x30
	[ 656.390751] do_syscall_64+0x45/0x70
	[ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9

	To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put().

	The Linux kernel CVE team has assigned CVE-2021-46981 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.4.120 with commit 1c4962df938891af9ab4775f5224ef8601764107
	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.10.38 with commit cde4b55cfb24522dcbba80bbdb0c082303e76c43
	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.11.22 with commit b31d237796fd618379ec8e0f4de3370b5e4aeee7
	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.12.5 with commit 54b78ba7e96e5fe1edb8054e375d31a6c0dc60dc
	Issue introduced in 5.4 with commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 and fixed in 5.13 with commit 79ebe9110fa458d58f1fceb078e2068d7ad37390
	Issue introduced in 4.14.149 with commit 0b584bf573ae59021069c056c22d65d5721910cb
	Issue introduced in 4.19.79 with commit 9f0f39c92e4f50189155dfb13bb5524372e40eba
	Issue introduced in 5.3.6 with commit 92ec11cccb7fc14331e000ab2337f60aa433433e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46981
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/block/nbd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1c4962df938891af9ab4775f5224ef8601764107
	https://git.kernel.org/stable/c/cde4b55cfb24522dcbba80bbdb0c082303e76c43
	https://git.kernel.org/stable/c/b31d237796fd618379ec8e0f4de3370b5e4aeee7
	https://git.kernel.org/stable/c/54b78ba7e96e5fe1edb8054e375d31a6c0dc60dc
	https://git.kernel.org/stable/c/79ebe9110fa458d58f1fceb078e2068d7ad37390