cve/published/2021/CVE-2021-47026.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47026: RDMA/rtrs-clt: destroy sysfs after removing session from active list

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/rtrs-clt: destroy sysfs after removing session from active list

 A session can be removed dynamically by sysfs interface "remove_path" that
 eventually calls rtrs_clt_remove_path_from_sysfs function.  The current
 rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and
 frees sess->stats object. Second it removes the session from the active
 list.

 Therefore some functions could access non-connected session and access the
 freed sess->stats object even-if they check the session status before
 accessing the session.

 For instance rtrs_clt_request and get_next_path_min_inflight check the
 session status and try to send IO to the session.  The session status
 could be changed when they are trying to send IO but they could not catch
 the change and update the statistics information in sess->stats object,
 and generate use-after-free problem.
 (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its
 stats")

 This patch changes the rtrs_clt_remove_path_from_sysfs to remove the
 session from the active session list and then destroy the sysfs
 interfaces.

 Each function still should check the session status because closing or
 error recovery paths can change the status.

 The Linux kernel CVE team has assigned CVE-2021-47026 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit 6a98d71daea186247005099758af549e6afdd244 and fixed in 5.10.37 with commit b64415c6b3476cf9fa4d0aea3807065b8403a937
 	Issue introduced in 5.8 with commit 6a98d71daea186247005099758af549e6afdd244 and fixed in 5.11.21 with commit 676171f9405dcaa45a33d18241c32f387dbaae39
 	Issue introduced in 5.8 with commit 6a98d71daea186247005099758af549e6afdd244 and fixed in 5.12.4 with commit d3cca8067d43dfee4a3535c645b55f618708dccb
 	Issue introduced in 5.8 with commit 6a98d71daea186247005099758af549e6afdd244 and fixed in 5.13 with commit 7f4a8592ff29f19c5a2ca549d0973821319afaad

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47026
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/ulp/rtrs/rtrs-clt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b64415c6b3476cf9fa4d0aea3807065b8403a937
 	https://git.kernel.org/stable/c/676171f9405dcaa45a33d18241c32f387dbaae39
 	https://git.kernel.org/stable/c/d3cca8067d43dfee4a3535c645b55f618708dccb
 	https://git.kernel.org/stable/c/7f4a8592ff29f19c5a2ca549d0973821319afaad
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47026: RDMA/rtrs-clt: destroy sysfs after removing session from active list

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/rtrs-clt: destroy sysfs after removing session from active list

	A session can be removed dynamically by sysfs interface "remove_path" that
	eventually calls rtrs_clt_remove_path_from_sysfs function. The current
	rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and
	frees sess->stats object. Second it removes the session from the active
	list.

	Therefore some functions could access non-connected session and access the
	freed sess->stats object even-if they check the session status before
	accessing the session.

	For instance rtrs_clt_request and get_next_path_min_inflight check the
	session status and try to send IO to the session. The session status
	could be changed when they are trying to send IO but they could not catch
	the change and update the statistics information in sess->stats object,
	and generate use-after-free problem.
	(see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its
	stats")

	This patch changes the rtrs_clt_remove_path_from_sysfs to remove the
	session from the active session list and then destroy the sysfs
	interfaces.

	Each function still should check the session status because closing or
	error recovery paths can change the status.

	The Linux kernel CVE team has assigned CVE-2021-47026 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit 6a98d71daea186247005099758af549e6afdd244 and fixed in 5.10.37 with commit b64415c6b3476cf9fa4d0aea3807065b8403a937
	Issue introduced in 5.8 with commit 6a98d71daea186247005099758af549e6afdd244 and fixed in 5.11.21 with commit 676171f9405dcaa45a33d18241c32f387dbaae39
	Issue introduced in 5.8 with commit 6a98d71daea186247005099758af549e6afdd244 and fixed in 5.12.4 with commit d3cca8067d43dfee4a3535c645b55f618708dccb
	Issue introduced in 5.8 with commit 6a98d71daea186247005099758af549e6afdd244 and fixed in 5.13 with commit 7f4a8592ff29f19c5a2ca549d0973821319afaad

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47026
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/ulp/rtrs/rtrs-clt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b64415c6b3476cf9fa4d0aea3807065b8403a937
	https://git.kernel.org/stable/c/676171f9405dcaa45a33d18241c32f387dbaae39
	https://git.kernel.org/stable/c/d3cca8067d43dfee4a3535c645b55f618708dccb
	https://git.kernel.org/stable/c/7f4a8592ff29f19c5a2ca549d0973821319afaad