cve/published/2021/CVE-2021-47111.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47111: xen-netback: take a reference to the RX task thread

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 xen-netback: take a reference to the RX task thread

 Do this in order to prevent the task from being freed if the thread
 returns (which can be triggered by the frontend) before the call to
 kthread_stop done as part of the backend tear down. Not taking the
 reference will lead to a use-after-free in that scenario. Such
 reference was taken before but dropped as part of the rework done in
 2ac061ce97f4.

 Reintroduce the reference taking and add a comment this time
 explaining why it's needed.

 This is XSA-374 / CVE-2021-28691.

 The Linux kernel CVE team has assigned CVE-2021-47111 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit 2ac061ce97f413bfbbdd768f7d2e0fda2e8170df and fixed in 5.10.43 with commit 6b53db8c4c14b4e7256f058d202908b54a7b85b4
 	Issue introduced in 5.5 with commit 2ac061ce97f413bfbbdd768f7d2e0fda2e8170df and fixed in 5.12.10 with commit caec9bcaeb1a5f03f2d406305355c853af10c13e
 	Issue introduced in 5.5 with commit 2ac061ce97f413bfbbdd768f7d2e0fda2e8170df and fixed in 5.13 with commit 107866a8eb0b664675a260f1ba0655010fac1e08

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47111
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/xen-netback/interface.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6b53db8c4c14b4e7256f058d202908b54a7b85b4
 	https://git.kernel.org/stable/c/caec9bcaeb1a5f03f2d406305355c853af10c13e
 	https://git.kernel.org/stable/c/107866a8eb0b664675a260f1ba0655010fac1e08
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47111: xen-netback: take a reference to the RX task thread

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	xen-netback: take a reference to the RX task thread

	Do this in order to prevent the task from being freed if the thread
	returns (which can be triggered by the frontend) before the call to
	kthread_stop done as part of the backend tear down. Not taking the
	reference will lead to a use-after-free in that scenario. Such
	reference was taken before but dropped as part of the rework done in
	2ac061ce97f4.

	Reintroduce the reference taking and add a comment this time
	explaining why it's needed.

	This is XSA-374 / CVE-2021-28691.

	The Linux kernel CVE team has assigned CVE-2021-47111 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit 2ac061ce97f413bfbbdd768f7d2e0fda2e8170df and fixed in 5.10.43 with commit 6b53db8c4c14b4e7256f058d202908b54a7b85b4
	Issue introduced in 5.5 with commit 2ac061ce97f413bfbbdd768f7d2e0fda2e8170df and fixed in 5.12.10 with commit caec9bcaeb1a5f03f2d406305355c853af10c13e
	Issue introduced in 5.5 with commit 2ac061ce97f413bfbbdd768f7d2e0fda2e8170df and fixed in 5.13 with commit 107866a8eb0b664675a260f1ba0655010fac1e08

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47111
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/xen-netback/interface.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6b53db8c4c14b4e7256f058d202908b54a7b85b4
	https://git.kernel.org/stable/c/caec9bcaeb1a5f03f2d406305355c853af10c13e
	https://git.kernel.org/stable/c/107866a8eb0b664675a260f1ba0655010fac1e08