nvd-json-data-feeds/CVE-2021/CVE-2021-476xx/CVE-2021-47634.json

{
  "id": "CVE-2021-47634",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2025-02-26T06:37:05.173",
  "lastModified": "2025-02-27T19:15:40.623",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\n\nHulk Robot reported a KASAN report about use-after-free:\n ==================================================================\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\n [...]\n Call Trace:\n  klist_dec_and_del+0xa7/0x4a0\n  klist_put+0xc7/0x1a0\n  device_del+0x4d4/0xed0\n  cdev_device_del+0x1a/0x80\n  ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\n  ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\n\n Allocated by task 1414:\n  device_add+0x60a/0x18b0\n  cdev_device_add+0x103/0x170\n  ubi_create_volume+0x1118/0x1a10 [ubi]\n  ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\n\n Freed by task 1385:\n  cdev_device_del+0x1a/0x80\n  ubi_remove_volume+0x438/0x6c0 [ubi]\n  ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\n [...]\n ==================================================================\n\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\nby ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be\nconcurrent.\n\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\nubi_detach is bug-free because it uses reference counting to prevent\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\nubi_cdev_ioctl.\n\nuif_init will race with ubi_cdev_ioctl as in the following stack.\n           cpu1                   cpu2                  cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n  uif_init\n                           ubi_cdev_ioctl\n                            ubi_create_volume\n                             cdev_device_add\n   ubi_add_volume\n   // sysfs exist\n   kill_volumes\n                                                    ubi_cdev_ioctl\n                                                     ubi_remove_volume\n                                                      cdev_device_del\n                                                       // first free\n    ubi_free_volume\n     cdev_del\n     // double free\n   cdev_device_del\n\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\n           cpu1                   cpu2                  cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n  uif_init\n                           ubi_cdev_ioctl\n                            ubi_create_volume\n                             cdev_device_add\n  ubi_debugfs_init_dev\n  //error goto out_uif;\n  uif_close\n   kill_volumes\n                                                    ubi_cdev_ioctl\n                                                     ubi_remove_volume\n                                                      cdev_device_del\n                                                       // first free\n    ubi_free_volume\n    // double free\n\nThe cause of this problem is that commit 714fb87e8bc0 make device\n\"available\" before it becomes accessible via sysfs. Therefore, we\nroll back the modification. We will fix the race condition between\nubi device creation and udev by removing ubi_get_device in\nvol_attribute_show and dev_attribute_show.This avoids accessing\nuninitialized ubi_devices[ubi_num].\n\nubi_get_device is used to prevent devices from being deleted during\nsysfs execution. However, now kernfs ensures that devices will not\nbe deleted before all reference counting are released.\nThe key process is shown in the following stack.\n\ndevice_del\n  device_remove_attrs\n    device_remove_groups\n      sysfs_remove_groups\n        sysfs_remove_group\n          remove_files\n            kernfs_remove_by_name\n              kernfs_remove_by_name_ns\n                __kernfs_remove\n                  kernfs_drain"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ubi: Se corrige la condici\u00f3n de ejecuci\u00f3n entre ctrl_cdev_ioctl y ubi_cdev_ioctl Hulk Robot inform\u00f3 un informe de KASAN sobre use-after-free: ====================================================================== ERROR: KASAN: use-after-free en __list_del_entry_valid+0x13d/0x160 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888035e37d98 por la tarea ubiattach/1385 [...] Seguimiento de llamadas: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Asignado por la tarea 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Liberado por la tarea 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ===================================================================== El bloqueo retenido por ctrl_cdev_ioctl es ubi_devices_mutex, pero el bloqueo retenido por ubi_cdev_ioctl es ubi->device_mutex. Por lo tanto, los dos bloqueos pueden ser concurrentes. ctrl_cdev_ioctl contiene dos operaciones: ubi_attach y ubi_detach. ubi_detach est\u00e1 libre de errores porque utiliza el conteo de referencias para evitar la concurrencia. Sin embargo, uif_init y uif_close en ubi_attach pueden competir con ubi_cdev_ioctl. uif_init competir\u00e1 con ubi_cdev_ioctl como en la siguiente pila. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs existen kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // primer ubi_free_volume libre cdev_del // doble liberaci\u00f3n cdev_device_del Y uif_close competir\u00e1 con ubi_cdev_ioctl como en la siguiente pila. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // primera liberaci\u00f3n ubi_free_volume // doble liberaci\u00f3n La causa de este problema es que la confirmaci\u00f3n 714fb87e8bc0 hace que el dispositivo est\u00e9 \"disponible\" antes de que se pueda acceder a \u00e9l a trav\u00e9s de sysfs. Por lo tanto, revertimos la modificaci\u00f3n. Solucionaremos la condici\u00f3n de ejecuci\u00f3n entre la creaci\u00f3n del dispositivo ubi y udev eliminando ubi_get_device en vol_attribute_show y dev_attribute_show. Esto evita el acceso a ubi_devices[ubi_num] no inicializados. ubi_get_device se utiliza para evitar que se eliminen los dispositivos durante la ejecuci\u00f3n de sysfs. Sin embargo, ahora kernfs garantiza que los dispositivos no se eliminar\u00e1n antes de que se liberen todos los recuentos de referencias. El proceso clave se muestra en la siguiente pila. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}