cve/rejected/2021/CVE-2021-47085.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhamradio: improve the incomplete fix to avoid NPD\n\nThe previous commit 3e0588c291d6 (\"hamradio: defer ax25 kfree after\nunregister_netdev\") reorder the kfree operations and unregister_netdev\noperation to prevent UAF.\n\nThis commit improves the previous one by also deferring the nullify of\nthe ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs.\nPartial of the stack trace is shown below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000538\nRIP: 0010:ax_xmit+0x1f9/0x400\n...\nCall Trace:\n dev_hard_start_xmit+0xec/0x320\n sch_direct_xmit+0xea/0x240\n __qdisc_run+0x166/0x5c0\n __dev_queue_xmit+0x2c7/0xaf0\n ax25_std_establish_data_link+0x59/0x60\n ax25_connect+0x3a0/0x500\n ? security_socket_connect+0x2b/0x40\n __sys_connect+0x96/0xc0\n ? __hrtimer_init+0xc0/0xc0\n ? common_nsleep+0x2e/0x50\n ? switch_fpu_return+0x139/0x1a0\n __x64_sys_connect+0x11/0x20\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThe crash point is shown as below\n\nstatic void ax_encaps(...) {\n  ...\n  set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL!\n  ...\n}\n\nBy placing the nullify action after the unregister_netdev, the ax->tty\npointer won't be assigned as NULL net_device framework layer is well\nsynchronized."
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "versions": [
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "371a874ea06f",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "83ba6ec97c74",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "a7b0ae2cc486",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "b68f41c6320b",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "a5c6a13e9056",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "7dd52af1eb57",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "03d00f7f1815",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "b2f37aead1b8",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "versions": [
                   {
                      "version": "4.4.297",
                      "lessThanOrEqual": "4.4.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "4.9.295",
                      "lessThanOrEqual": "4.9.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "4.14.260",
                      "lessThanOrEqual": "4.14.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "4.19.223",
                      "lessThanOrEqual": "4.19.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "5.4.169",
                      "lessThanOrEqual": "5.4.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "5.10.89",
                      "lessThanOrEqual": "5.10.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "5.15.12",
                      "lessThanOrEqual": "5.15.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "5.16",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/371a874ea06f147d6ca30be43dad33683965eba6"
             },
             {
                "url": "https://git.kernel.org/stable/c/83ba6ec97c74fb1a60f7779a26b6a94b28741d8a"
             },
             {
                "url": "https://git.kernel.org/stable/c/a7b0ae2cc486fcb601f9f9d87d98138cc7b7f7f9"
             },
             {
                "url": "https://git.kernel.org/stable/c/b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59"
             },
             {
                "url": "https://git.kernel.org/stable/c/a5c6a13e9056d87805ba3042c208fbd4164ad22b"
             },
             {
                "url": "https://git.kernel.org/stable/c/7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca"
             },
             {
                "url": "https://git.kernel.org/stable/c/03d00f7f1815ec00dab5035851b3de83afd054a8"
             },
             {
                "url": "https://git.kernel.org/stable/c/b2f37aead1b82a770c48b5d583f35ec22aabb61e"
             }
          ],
          "title": "hamradio: improve the incomplete fix to avoid NPD",
          "x_generator": {
             "engine": "bippy-4986f5686161"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2021-47085",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhamradio: improve the incomplete fix to avoid NPD\n\nThe previous commit 3e0588c291d6 (\"hamradio: defer ax25 kfree after\nunregister_netdev\") reorder the kfree operations and unregister_netdev\noperation to prevent UAF.\n\nThis commit improves the previous one by also deferring the nullify of\nthe ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs.\nPartial of the stack trace is shown below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000538\nRIP: 0010:ax_xmit+0x1f9/0x400\n...\nCall Trace:\n dev_hard_start_xmit+0xec/0x320\n sch_direct_xmit+0xea/0x240\n __qdisc_run+0x166/0x5c0\n __dev_queue_xmit+0x2c7/0xaf0\n ax25_std_establish_data_link+0x59/0x60\n ax25_connect+0x3a0/0x500\n ? security_socket_connect+0x2b/0x40\n __sys_connect+0x96/0xc0\n ? __hrtimer_init+0xc0/0xc0\n ? common_nsleep+0x2e/0x50\n ? switch_fpu_return+0x139/0x1a0\n __x64_sys_connect+0x11/0x20\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThe crash point is shown as below\n\nstatic void ax_encaps(...) {\n ...\n set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL!\n ...\n}\n\nBy placing the nullify action after the unregister_netdev, the ax->tty\npointer won't be assigned as NULL net_device framework layer is well\nsynchronized."
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"versions": [
	{
	"version": "1da177e4c3f4",
	"lessThan": "371a874ea06f",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "83ba6ec97c74",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "a7b0ae2cc486",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "b68f41c6320b",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "a5c6a13e9056",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "7dd52af1eb57",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "03d00f7f1815",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "b2f37aead1b8",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"versions": [
	{
	"version": "4.4.297",
	"lessThanOrEqual": "4.4.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "4.9.295",
	"lessThanOrEqual": "4.9.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "4.14.260",
	"lessThanOrEqual": "4.14.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "4.19.223",
	"lessThanOrEqual": "4.19.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "5.4.169",
	"lessThanOrEqual": "5.4.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "5.10.89",
	"lessThanOrEqual": "5.10.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "5.15.12",
	"lessThanOrEqual": "5.15.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "5.16",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/371a874ea06f147d6ca30be43dad33683965eba6"
	},
	{
	"url": "https://git.kernel.org/stable/c/83ba6ec97c74fb1a60f7779a26b6a94b28741d8a"
	},
	{
	"url": "https://git.kernel.org/stable/c/a7b0ae2cc486fcb601f9f9d87d98138cc7b7f7f9"
	},
	{
	"url": "https://git.kernel.org/stable/c/b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59"
	},
	{
	"url": "https://git.kernel.org/stable/c/a5c6a13e9056d87805ba3042c208fbd4164ad22b"
	},
	{
	"url": "https://git.kernel.org/stable/c/7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca"
	},
	{
	"url": "https://git.kernel.org/stable/c/03d00f7f1815ec00dab5035851b3de83afd054a8"
	},
	{
	"url": "https://git.kernel.org/stable/c/b2f37aead1b82a770c48b5d583f35ec22aabb61e"
	}
	],
	"title": "hamradio: improve the incomplete fix to avoid NPD",
	"x_generator": {
	"engine": "bippy-4986f5686161"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2021-47085",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}