cve/published/2021/CVE-2021-47082.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47082: tun: avoid double free in tun_free_netdev

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tun: avoid double free in tun_free_netdev

 Avoid double free in tun_free_netdev() by moving the
 dev->tstats and tun->security allocs to a new ndo_init routine
 (tun_net_init()) that will be called by register_netdevice().
 ndo_init is paired with the desctructor (tun_free_netdev()),
 so if there's an error in register_netdevice() the destructor
 will handle the frees.

 BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605

 CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1
 Hardware name: Red Hat KVM, BIOS
 Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247
 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372
 ____kasan_slab_free mm/kasan/common.c:346 [inline]
 __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook mm/slub.c:1749 [inline]
 slab_free mm/slub.c:3513 [inline]
 kfree+0xac/0x2d0 mm/slub.c:4561
 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342
 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215
 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627
 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112
 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302
 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

 The Linux kernel CVE team has assigned CVE-2021-47082 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.280 with commit 8eb43d635950e27c29f1e9e49a23b31637f37757
 	Fixed in 5.4.240 with commit 0c0e566f0387490d16f166808c72e9c772027681
 	Fixed in 5.10.136 with commit a01a4e9f5dc93335c716fa4023b1901956e8c904
 	Fixed in 5.15.12 with commit 3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5
 	Fixed in 5.16 with commit 158b515f703e75e7d68289bf4d98c664e1d632df

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47082
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/tun.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757
 	https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681
 	https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904
 	https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5
 	https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47082: tun: avoid double free in tun_free_netdev

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tun: avoid double free in tun_free_netdev

	Avoid double free in tun_free_netdev() by moving the
	dev->tstats and tun->security allocs to a new ndo_init routine
	(tun_net_init()) that will be called by register_netdevice().
	ndo_init is paired with the desctructor (tun_free_netdev()),
	so if there's an error in register_netdevice() the destructor
	will handle the frees.

	BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605

	CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1
	Hardware name: Red Hat KVM, BIOS
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
	print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247
	kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372
	____kasan_slab_free mm/kasan/common.c:346 [inline]
	__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374
	kasan_slab_free include/linux/kasan.h:235 [inline]
	slab_free_hook mm/slub.c:1723 [inline]
	slab_free_freelist_hook mm/slub.c:1749 [inline]
	slab_free mm/slub.c:3513 [inline]
	kfree+0xac/0x2d0 mm/slub.c:4561
	selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
	security_tun_dev_free_security+0x4f/0x90 security/security.c:2342
	tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215
	netdev_run_todo+0x4df/0x840 net/core/dev.c:10627
	rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112
	__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302
	tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311
	vfs_ioctl fs/ioctl.c:51 [inline]
	__do_sys_ioctl fs/ioctl.c:874 [inline]
	__se_sys_ioctl fs/ioctl.c:860 [inline]
	__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	The Linux kernel CVE team has assigned CVE-2021-47082 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.280 with commit 8eb43d635950e27c29f1e9e49a23b31637f37757
	Fixed in 5.4.240 with commit 0c0e566f0387490d16f166808c72e9c772027681
	Fixed in 5.10.136 with commit a01a4e9f5dc93335c716fa4023b1901956e8c904
	Fixed in 5.15.12 with commit 3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5
	Fixed in 5.16 with commit 158b515f703e75e7d68289bf4d98c664e1d632df

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47082
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/tun.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757
	https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681
	https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904
	https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5
	https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df