cve/published/2021/CVE-2021-47338.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47338: fbmem: Do not delete the mode that is still in use

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 fbmem: Do not delete the mode that is still in use

 The execution of fb_delete_videomode() is not based on the result of the
 previous fbcon_mode_deleted(). As a result, the mode is directly deleted,
 regardless of whether it is still in use, which may cause UAF.

 ==================================================================
 BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \
 drivers/video/fbdev/core/modedb.c:924
 Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962

 CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...
 Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x137/0x1be lib/dump_stack.c:118
  print_address_description+0x6c/0x640 mm/kasan/report.c:385
  __kasan_report mm/kasan/report.c:545 [inline]
  kasan_report+0x13d/0x1e0 mm/kasan/report.c:562
  fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924
  fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746
  fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975
  do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108
  vfs_ioctl fs/ioctl.c:48 [inline]
  __do_sys_ioctl fs/ioctl.c:753 [inline]
  __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 Freed by task 18960:
  kasan_save_stack mm/kasan/common.c:48 [inline]
  kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
  kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
  __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422
  slab_free_hook mm/slub.c:1541 [inline]
  slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574
  slab_free mm/slub.c:3139 [inline]
  kfree+0xca/0x3d0 mm/slub.c:4121
  fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104
  fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978
  do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108
  vfs_ioctl fs/ioctl.c:48 [inline]
  __do_sys_ioctl fs/ioctl.c:753 [inline]
  __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 The Linux kernel CVE team has assigned CVE-2021-47338 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.4.134 with commit 359311b85ebec7c07c3a08ae2f3def946cad33fa
 	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.10.52 with commit 087bff9acd2ec6db3f61aceb3224bde90fe0f7f8
 	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.12.19 with commit f193509afc7ff37a46862610c93b896044d5b693
 	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.13.4 with commit d6e76469157d8f240e5dec6f8411aa8d306b1126
 	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.14 with commit 0af778269a522c988ef0b4188556aba97fb420cc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47338
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/video/fbdev/core/fbmem.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/359311b85ebec7c07c3a08ae2f3def946cad33fa
 	https://git.kernel.org/stable/c/087bff9acd2ec6db3f61aceb3224bde90fe0f7f8
 	https://git.kernel.org/stable/c/f193509afc7ff37a46862610c93b896044d5b693
 	https://git.kernel.org/stable/c/d6e76469157d8f240e5dec6f8411aa8d306b1126
 	https://git.kernel.org/stable/c/0af778269a522c988ef0b4188556aba97fb420cc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47338: fbmem: Do not delete the mode that is still in use

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	fbmem: Do not delete the mode that is still in use

	The execution of fb_delete_videomode() is not based on the result of the
	previous fbcon_mode_deleted(). As a result, the mode is directly deleted,
	regardless of whether it is still in use, which may cause UAF.

	==================================================================
	BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \
	drivers/video/fbdev/core/modedb.c:924
	Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962

	CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...
	Call Trace:
	__dump_stack lib/dump_stack.c:77 [inline]
	dump_stack+0x137/0x1be lib/dump_stack.c:118
	print_address_description+0x6c/0x640 mm/kasan/report.c:385
	__kasan_report mm/kasan/report.c:545 [inline]
	kasan_report+0x13d/0x1e0 mm/kasan/report.c:562
	fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924
	fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746
	fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975
	do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108
	vfs_ioctl fs/ioctl.c:48 [inline]
	__do_sys_ioctl fs/ioctl.c:753 [inline]
	__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
	do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
	entry_SYSCALL_64_after_hwframe+0x44/0xa9

	Freed by task 18960:
	kasan_save_stack mm/kasan/common.c:48 [inline]
	kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
	kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
	__kasan_slab_free+0x108/0x140 mm/kasan/common.c:422
	slab_free_hook mm/slub.c:1541 [inline]
	slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574
	slab_free mm/slub.c:3139 [inline]
	kfree+0xca/0x3d0 mm/slub.c:4121
	fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104
	fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978
	do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108
	vfs_ioctl fs/ioctl.c:48 [inline]
	__do_sys_ioctl fs/ioctl.c:753 [inline]
	__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
	do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
	entry_SYSCALL_64_after_hwframe+0x44/0xa9

	The Linux kernel CVE team has assigned CVE-2021-47338 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.4.134 with commit 359311b85ebec7c07c3a08ae2f3def946cad33fa
	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.10.52 with commit 087bff9acd2ec6db3f61aceb3224bde90fe0f7f8
	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.12.19 with commit f193509afc7ff37a46862610c93b896044d5b693
	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.13.4 with commit d6e76469157d8f240e5dec6f8411aa8d306b1126
	Issue introduced in 5.3 with commit 13ff178ccd6d3b8074c542a911300b79c4eec255 and fixed in 5.14 with commit 0af778269a522c988ef0b4188556aba97fb420cc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47338
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/video/fbdev/core/fbmem.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/359311b85ebec7c07c3a08ae2f3def946cad33fa
	https://git.kernel.org/stable/c/087bff9acd2ec6db3f61aceb3224bde90fe0f7f8
	https://git.kernel.org/stable/c/f193509afc7ff37a46862610c93b896044d5b693
	https://git.kernel.org/stable/c/d6e76469157d8f240e5dec6f8411aa8d306b1126
	https://git.kernel.org/stable/c/0af778269a522c988ef0b4188556aba97fb420cc