cve/published/2021/CVE-2021-47506.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47506: nfsd: fix use-after-free due to delegation race

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nfsd: fix use-after-free due to delegation race

 A delegation break could arrive as soon as we've called vfs_setlease.  A
 delegation break runs a callback which immediately (in
 nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru.  If we
 then exit nfs4_set_delegation without hashing the delegation, it will be
 freed as soon as the callback is done with it, without ever being
 removed from del_recall_lru.

 Symptoms show up later as use-after-free or list corruption warnings,
 usually in the laundromat thread.

 I suspect aba2072f4523 "nfsd: grant read delegations to clients holding
 writes" made this bug easier to hit, but I looked as far back as v3.0
 and it looks to me it already had the same problem.  So I'm not sure
 where the bug was introduced; it may have been there from the beginning.

 The Linux kernel CVE team has assigned CVE-2021-47506 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 4.4.296 with commit 04a8d07f3d58308b92630045560799a3faa3ebce
 	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 4.9.294 with commit 348714018139c39533c55661a0c7c990671396b4
 	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 4.14.259 with commit 33645d3e22720cac1e4548f8fef57bf0649536ee
 	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 4.19.222 with commit 2becaa990b93cbd2928292c0b669d3abb6cf06d4
 	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 5.4.168 with commit e0759696de6851d7536efddfdd2dfed4c4df1f09
 	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 5.10.85 with commit eeb0711801f5e19ef654371b627682aed3b11373
 	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 5.15.8 with commit 148c816f10fd11df27ca6a9b3238cdd42fa72cd3
 	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 5.16 with commit 548ec0805c399c65ed66c6641be467f717833ab5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47506
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nfsd/nfs4state.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce
 	https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4
 	https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee
 	https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4
 	https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09
 	https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373
 	https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3
 	https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f717833ab5
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47506: nfsd: fix use-after-free due to delegation race

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nfsd: fix use-after-free due to delegation race

	A delegation break could arrive as soon as we've called vfs_setlease. A
	delegation break runs a callback which immediately (in
	nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we
	then exit nfs4_set_delegation without hashing the delegation, it will be
	freed as soon as the callback is done with it, without ever being
	removed from del_recall_lru.

	Symptoms show up later as use-after-free or list corruption warnings,
	usually in the laundromat thread.

	I suspect aba2072f4523 "nfsd: grant read delegations to clients holding
	writes" made this bug easier to hit, but I looked as far back as v3.0
	and it looks to me it already had the same problem. So I'm not sure
	where the bug was introduced; it may have been there from the beginning.

	The Linux kernel CVE team has assigned CVE-2021-47506 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 4.4.296 with commit 04a8d07f3d58308b92630045560799a3faa3ebce
	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 4.9.294 with commit 348714018139c39533c55661a0c7c990671396b4
	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 4.14.259 with commit 33645d3e22720cac1e4548f8fef57bf0649536ee
	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 4.19.222 with commit 2becaa990b93cbd2928292c0b669d3abb6cf06d4
	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 5.4.168 with commit e0759696de6851d7536efddfdd2dfed4c4df1f09
	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 5.10.85 with commit eeb0711801f5e19ef654371b627682aed3b11373
	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 5.15.8 with commit 148c816f10fd11df27ca6a9b3238cdd42fa72cd3
	Issue introduced in 3.17 with commit dff1399f8addf7129c49bb2227469da79cc30b47 and fixed in 5.16 with commit 548ec0805c399c65ed66c6641be467f717833ab5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47506
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nfsd/nfs4state.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce
	https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4
	https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee
	https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4
	https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09
	https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373
	https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3
	https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f717833ab5