cve/published/2021/CVE-2021-47248.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47248: udp: fix race between close() and udp_abort()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 udp: fix race between close() and udp_abort()

 Kaustubh reported and diagnosed a panic in udp_lib_lookup().
 The root cause is udp_abort() racing with close(). Both
 racing functions acquire the socket lock, but udp{v6}_destroy_sock()
 release it before performing destructive actions.

 We can't easily extend the socket lock scope to avoid the race,
 instead use the SOCK_DEAD flag to prevent udp_abort from doing
 any action when the critical race happens.

 Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>

 The Linux kernel CVE team has assigned CVE-2021-47248 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 4.9.274 with commit e3c36c773aed0fef8b1d3d555b43393ec564400f
 	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 4.14.238 with commit a0882f68f54f7a8b6308261acee9bd4faab5a69e
 	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 4.19.196 with commit 2f73448041bd0682d4b552cfd314ace66107f1ad
 	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 5.4.128 with commit 5a88477c1c85e4baa51e91f2d40f2166235daa56
 	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 5.10.46 with commit 8729ec8a2238152a4afc212a331a6cd2c61aeeac
 	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 5.12.13 with commit 65310b0aff86980a011c7c7bfa487a333d4ca241
 	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 5.13 with commit a8b897c7bcd47f4147d066e22cc01d1026d7640e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47248
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/udp.c
 	net/ipv6/udp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f
 	https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e
 	https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad
 	https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56
 	https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac
 	https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241
 	https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47248: udp: fix race between close() and udp_abort()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	udp: fix race between close() and udp_abort()

	Kaustubh reported and diagnosed a panic in udp_lib_lookup().
	The root cause is udp_abort() racing with close(). Both
	racing functions acquire the socket lock, but udp{v6}_destroy_sock()
	release it before performing destructive actions.

	We can't easily extend the socket lock scope to avoid the race,
	instead use the SOCK_DEAD flag to prevent udp_abort from doing
	any action when the critical race happens.

	Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>

	The Linux kernel CVE team has assigned CVE-2021-47248 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 4.9.274 with commit e3c36c773aed0fef8b1d3d555b43393ec564400f
	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 4.14.238 with commit a0882f68f54f7a8b6308261acee9bd4faab5a69e
	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 4.19.196 with commit 2f73448041bd0682d4b552cfd314ace66107f1ad
	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 5.4.128 with commit 5a88477c1c85e4baa51e91f2d40f2166235daa56
	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 5.10.46 with commit 8729ec8a2238152a4afc212a331a6cd2c61aeeac
	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 5.12.13 with commit 65310b0aff86980a011c7c7bfa487a333d4ca241
	Issue introduced in 4.9 with commit 5d77dca82839ef016a93ad7acd7058b14d967752 and fixed in 5.13 with commit a8b897c7bcd47f4147d066e22cc01d1026d7640e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47248
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/udp.c
	net/ipv6/udp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f
	https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e
	https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad
	https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56
	https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac
	https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241
	https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e