CVE-2021-47118

CVE Details

Release Date:2024-03-15

Description


In the Linux kernel, the following vulnerability has been resolved:\npid: take a reference when initializing `cad_pid`\nDuring boot, kernel_init_freeable() initializes `cad_pid` to the init\ntask's struct pid. Later on, we may change `cad_pid` via a sysctl, and\nwhen this happens proc_do_cad_pid() will increment the refcount on the\nnew pid via get_pid(), and will decrement the refcount on the old pid\nvia put_pid(). As we never called get_pid() when we initialized\n`cad_pid`, we decrement a reference we never incremented, can therefore\nfree the init task's struct pid early. As there can be dangling\nreferences to the struct pid, we can later encounter a use-after-free\n(e.g. when delivering signals).\nThis was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to\nhave been around since the conversion of `cad_pid` to struct pid in\ncommit 9ec52099e4b8 ('[PATCH] replace cad_pid by a struct pid') from the\npre-KASAN stone age of v2.6.19.\nFix this by getting a reference to the init task's struct pid when we\nassign it to `cad_pid`.\nFull KASAN splat below.\n==================================================================\nBUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline]\nBUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509\nRead of size 4 at addr ffff23794dda0004 by task syz-executor.0/273\nCPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1\nHardware name: linux,dummy-virt (DT)\nCall trace:\nns_of_pid include/linux/pid.h:153 [inline]\ntask_active_pid_ns+0xc0/0xc8 kernel/pid.c:509\ndo_notify_parent+0x308/0xe60 kernel/signal.c:1950\nexit_notify kernel/exit.c:682 [inline]\ndo_exit+0x2334/0x2bd0 kernel/exit.c:845\ndo_group_exit+0x108/0x2c8 kernel/exit.c:922\nget_signal+0x4e4/0x2a88 kernel/signal.c:2781\ndo_signal arch/arm64/kernel/signal.c:882 [inline]\ndo_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936\nwork_pending+0xc/0x2dc\nAllocated by task 0:\nslab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516\nslab_alloc_node mm/slub.c:2907 [inline]\nslab_alloc mm/slub.c:2915 [inline]\nkmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920\nalloc_pid+0xdc/0xc00 kernel/pid.c:180\ncopy_process+0x2794/0x5e18 kernel/fork.c:2129\nkernel_clone+0x194/0x13c8 kernel/fork.c:2500\nkernel_thread+0xd4/0x110 kernel/fork.c:2552\nrest_init+0x44/0x4a0 init/main.c:687\narch_call_rest_init+0x1c/0x28\nstart_kernel+0x520/0x554 init/main.c:1064\n0x0\nFreed by task 270:\nslab_free_hook mm/slub.c:1562 [inline]\nslab_free_freelist_hook+0x98/0x260 mm/slub.c:1600\nslab_free mm/slub.c:3161 [inline]\nkmem_cache_free+0x224/0x8e0 mm/slub.c:3177\nput_pid.part.4+0xe0/0x1a8 kernel/pid.c:114\nput_pid+0x30/0x48 kernel/pid.c:109\nproc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401\nproc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591\nproc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617\ncall_write_iter include/linux/fs.h:1977 [inline]\nnew_sync_write+0x3ac/0x510 fs/read_write.c:518\nvfs_write fs/read_write.c:605 [inline]\nvfs_write+0x9c4/0x1018 fs/read_write.c:585\nksys_write+0x124/0x240 fs/read_write.c:658\n__do_sys_write fs/read_write.c:670 [inline]\n__se_sys_write fs/read_write.c:667 [inline]\n__arm64_sys_write+0x78/0xb0 fs/read_write.c:667\n__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\ninvoke_syscall arch/arm64/kernel/syscall.c:49 [inline]\nel0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129\ndo_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168\nel0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416\nel0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432\nel0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701\nThe buggy address belongs to the object at ffff23794dda0000\nwhich belongs to the cache pid of size 224\nThe buggy address is located 4 bytes inside of\n224-byte region [ff\n---truncated---

See more information about CVE-2021-47118 from MITRE CVE dictionary and NIST NVD


CVSS Scoring


NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score: 4.1 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector: Local network Attack Complexity: High
Privileges Required: High User Interaction: None
Scope: Unchanged Confidentiality Impact: None
Integrity Impact: None Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 6 (kernel-uek)ELSA-2024-126062024-09-02
Oracle Linux version 7 (kernel-uek)ELSA-2024-126062024-09-02
Oracle Linux version 8 (kernel)ELSA-2024-36182024-06-05
Oracle VM version 3 (kernel-uek)OVMSA-2024-00112024-09-03


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete