| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\n\nHulk Robot reported a KASAN report about use-after-free:\n ==================================================================\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\n [...]\n Call Trace:\n klist_dec_and_del+0xa7/0x4a0\n klist_put+0xc7/0x1a0\n device_del+0x4d4/0xed0\n cdev_device_del+0x1a/0x80\n ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\n ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\n\n Allocated by task 1414:\n device_add+0x60a/0x18b0\n cdev_device_add+0x103/0x170\n ubi_create_volume+0x1118/0x1a10 [ubi]\n ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\n\n Freed by task 1385:\n cdev_device_del+0x1a/0x80\n ubi_remove_volume+0x438/0x6c0 [ubi]\n ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\n [...]\n ==================================================================\n\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\nby ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be\nconcurrent.\n\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\nubi_detach is bug-free because it uses reference counting to prevent\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\nubi_cdev_ioctl.\n\nuif_init will race with ubi_cdev_ioctl as in the following stack.\n cpu1 cpu2 cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n uif_init\n ubi_cdev_ioctl\n ubi_create_volume\n cdev_device_add\n ubi_add_volume\n // sysfs exist\n kill_volumes\n ubi_cdev_ioctl\n ubi_remove_volume\n cdev_device_del\n // first free\n ubi_free_volume\n cdev_del\n // double free\n cdev_device_del\n\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\n cpu1 cpu2 cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n uif_init\n ubi_cdev_ioctl\n ubi_create_volume\n cdev_device_add\n ubi_debugfs_init_dev\n //error goto out_uif;\n uif_close\n kill_volumes\n ubi_cdev_ioctl\n ubi_remove_volume\n cdev_device_del\n // first free\n ubi_free_volume\n // double free\n\nThe cause of this problem is that commit 714fb87e8bc0 make device\n\"available\" before it becomes accessible via sysfs. Therefore, we\nroll back the modification. We will fix the race condition between\nubi device creation and udev by removing ubi_get_device in\nvol_attribute_show and dev_attribute_show.This avoids accessing\nuninitialized ubi_devices[ubi_num].\n\nubi_get_device is used to prevent devices from being deleted during\nsysfs execution. However, now kernfs ensures that devices will not\nbe deleted before all reference counting are released.\nThe key process is shown in the following stack.\n\ndevice_del\n device_remove_attrs\n device_remove_groups\n sysfs_remove_groups\n sysfs_remove_group\n remove_files\n kernfs_remove_by_name\n kernfs_remove_by_name_ns\n __kernfs_remove\n kernfs_drain" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/mtd/ubi/build.c", |
| "drivers/mtd/ubi/vmt.c" |
| ], |
| "versions": [ |
| { |
| "version": "714fb87e8bc05ff78255afc0dca981e8c5242785", |
| "lessThan": "f149b1bd213820363731aa119e5011ca892a2aac", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "714fb87e8bc05ff78255afc0dca981e8c5242785", |
| "lessThan": "a8ecee49259f8f78d91ddb329ab2be7e6fd01974", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "714fb87e8bc05ff78255afc0dca981e8c5242785", |
| "lessThan": "d727fd32cbd1abf3465f607021bc9c746f17b5a8", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "714fb87e8bc05ff78255afc0dca981e8c5242785", |
| "lessThan": "432b057f8e847ae5a2306515606f8d2defaca178", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "714fb87e8bc05ff78255afc0dca981e8c5242785", |
| "lessThan": "1a3f1cf87054833242fcd0218de0481cf855f888", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "714fb87e8bc05ff78255afc0dca981e8c5242785", |
| "lessThan": "c32fe764191b8ae8b128588beb96e3718d9179d8", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "714fb87e8bc05ff78255afc0dca981e8c5242785", |
| "lessThan": "5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "714fb87e8bc05ff78255afc0dca981e8c5242785", |
| "lessThan": "3cbf0e392f173ba0ce425968c8374a6aa3e90f2e", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "016820bde3f0895d09fcad370415085ba0d1bd4a", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "12f567db822241090b90c5645ea9146f6cf8fa42", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "31b0fca8ab9b9786fe6e5027c4a8587b47db5abf", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "6117840dec60344167038f9511c3770d4c096eaa", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "bd7d3de27e7e1acce2e276074a498a82e0834663", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "cdf25333b42fb889f086ef65d0734d0dbdc49f4e", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "ae32d1b98ba29408df87c0ed47877ca0f248eae7", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "4056337b1e81a1b137aa562133dc5430cd2fd19e", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "f3db4c640b32485105554e0bfd16bbde585f6fb0", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/mtd/ubi/build.c", |
| "drivers/mtd/ubi/vmt.c" |
| ], |
| "versions": [ |
| { |
| "version": "4.8", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "4.8", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.14.276", |
| "lessThanOrEqual": "4.14.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.19.238", |
| "lessThanOrEqual": "4.19.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.189", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.110", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.33", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.16.19", |
| "lessThanOrEqual": "5.16.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.17.2", |
| "lessThanOrEqual": "5.17.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.18", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.8", |
| "versionEndExcluding": "4.14.276" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.8", |
| "versionEndExcluding": "4.19.238" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.8", |
| "versionEndExcluding": "5.4.189" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.8", |
| "versionEndExcluding": "5.10.110" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.8", |
| "versionEndExcluding": "5.15.33" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.8", |
| "versionEndExcluding": "5.16.19" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.8", |
| "versionEndExcluding": "5.17.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.8", |
| "versionEndExcluding": "5.18" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.2.84" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.10.103" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.12.63" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.14.77" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.16.39" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.18.40" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.1.31" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.4.19" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.7.2" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e" |
| } |
| ], |
| "title": "ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2021-47634", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
