cve/published/2021/CVE-2021-47541.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47541: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()

 In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
 tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
 After that mlx4_en_alloc_resources() is called and there is a dereference
 of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
 a use after free problem on failure of mlx4_en_copy_priv().

 Fix this bug by adding a check of mlx4_en_copy_priv()

 This bug was found by a static analyzer. The analysis employs
 differential checking to identify inconsistent security operations
 (e.g., checks or kfrees) between two code paths and confirms that the
 inconsistent operations are not recovered in the current function or
 the callers, so they constitute bugs.

 Note that, as a bug found by static analysis, it can be a false
 positive or hard to trigger. Multiple researchers have cross-reviewed
 the bug.

 Builds with CONFIG_MLX4_EN=m show no new warnings,
 and our static analyzer no longer warns about this code.

 The Linux kernel CVE team has assigned CVE-2021-47541 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 4.14.257 with commit be12572c5ddc8ad7453bada4eec8fa46967dc757
 	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 4.19.220 with commit 676dc7d9b15bf8733233a2db1ec3f9091ab34275
 	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 5.4.164 with commit e461a9816a1ac5b4aeb61621b817225b61e46a68
 	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 5.10.84 with commit f1d43efa59f1edd3e7eca0e94559b4c6b1cd4e2b
 	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 5.15.7 with commit 75917372eef0dbfb290ae45474314d35f97aea18
 	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 5.16 with commit addad7643142f500080417dd7272f49b7a185570

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47541
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlx4/en_netdev.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/be12572c5ddc8ad7453bada4eec8fa46967dc757
 	https://git.kernel.org/stable/c/676dc7d9b15bf8733233a2db1ec3f9091ab34275
 	https://git.kernel.org/stable/c/e461a9816a1ac5b4aeb61621b817225b61e46a68
 	https://git.kernel.org/stable/c/f1d43efa59f1edd3e7eca0e94559b4c6b1cd4e2b
 	https://git.kernel.org/stable/c/75917372eef0dbfb290ae45474314d35f97aea18
 	https://git.kernel.org/stable/c/addad7643142f500080417dd7272f49b7a185570
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47541: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()

	In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
	tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
	After that mlx4_en_alloc_resources() is called and there is a dereference
	of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
	a use after free problem on failure of mlx4_en_copy_priv().

	Fix this bug by adding a check of mlx4_en_copy_priv()

	This bug was found by a static analyzer. The analysis employs
	differential checking to identify inconsistent security operations
	(e.g., checks or kfrees) between two code paths and confirms that the
	inconsistent operations are not recovered in the current function or
	the callers, so they constitute bugs.

	Note that, as a bug found by static analysis, it can be a false
	positive or hard to trigger. Multiple researchers have cross-reviewed
	the bug.

	Builds with CONFIG_MLX4_EN=m show no new warnings,
	and our static analyzer no longer warns about this code.

	The Linux kernel CVE team has assigned CVE-2021-47541 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 4.14.257 with commit be12572c5ddc8ad7453bada4eec8fa46967dc757
	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 4.19.220 with commit 676dc7d9b15bf8733233a2db1ec3f9091ab34275
	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 5.4.164 with commit e461a9816a1ac5b4aeb61621b817225b61e46a68
	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 5.10.84 with commit f1d43efa59f1edd3e7eca0e94559b4c6b1cd4e2b
	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 5.15.7 with commit 75917372eef0dbfb290ae45474314d35f97aea18
	Issue introduced in 4.7 with commit ec25bc04ed8e12947738468cbe2191f1529f9e39 and fixed in 5.16 with commit addad7643142f500080417dd7272f49b7a185570

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47541
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlx4/en_netdev.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/be12572c5ddc8ad7453bada4eec8fa46967dc757
	https://git.kernel.org/stable/c/676dc7d9b15bf8733233a2db1ec3f9091ab34275
	https://git.kernel.org/stable/c/e461a9816a1ac5b4aeb61621b817225b61e46a68
	https://git.kernel.org/stable/c/f1d43efa59f1edd3e7eca0e94559b4c6b1cd4e2b
	https://git.kernel.org/stable/c/75917372eef0dbfb290ae45474314d35f97aea18
	https://git.kernel.org/stable/c/addad7643142f500080417dd7272f49b7a185570