CVE-2021-47280

In the Linux kernel, the following vulnerability has been resolved: drm: Fix use-after-free read in drm_getunique() There is a time-of-check-to-time-of-use error in drm_getunique() due to retrieving file_priv->master prior to locking the device's master mutex. An example can be seen in the crash report of the use-after-free error found by Syzbot: https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 In the report, the master pointer was used after being freed. This is because another process had acquired the device's master mutex in drm_setmaster_ioctl(), then overwrote fpriv->master in drm_new_set_master(). The old value of fpriv->master was subsequently freed before the mutex was unlocked. To fix this, we lock the device's master mutex before retrieving the pointer from from fpriv->master. This patch passes the Syzbot reproducer test.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*

History

24 Dec 2024, 16:31

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.0
CWE CWE-367
CWE-416
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/17dab9326ff263c62dab1dbac4492e2938a049e4 - () https://git.kernel.org/stable/c/17dab9326ff263c62dab1dbac4492e2938a049e4 - Patch
References () https://git.kernel.org/stable/c/491d52e0078860b33b6c14f0a7ac74ca1b603bd6 - () https://git.kernel.org/stable/c/491d52e0078860b33b6c14f0a7ac74ca1b603bd6 - Patch
References () https://git.kernel.org/stable/c/7d233ba700ceb593905ea82b42dadb4ec8ef85e9 - () https://git.kernel.org/stable/c/7d233ba700ceb593905ea82b42dadb4ec8ef85e9 - Patch
References () https://git.kernel.org/stable/c/b246b4c70c1250e7814f409b243000f9c0bf79a3 - () https://git.kernel.org/stable/c/b246b4c70c1250e7814f409b243000f9c0bf79a3 - Patch
References () https://git.kernel.org/stable/c/b436acd1cf7fac0ba987abd22955d98025c80c2b - () https://git.kernel.org/stable/c/b436acd1cf7fac0ba987abd22955d98025c80c2b - Patch
References () https://git.kernel.org/stable/c/f773f8cccac13c7e7bbd9182e7996c727742488e - () https://git.kernel.org/stable/c/f773f8cccac13c7e7bbd9182e7996c727742488e - Patch

21 Nov 2024, 06:35

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm: corrige la lectura de use after free en drm_getunique(). Hay un error de tiempo de verificación a tiempo de uso en drm_getunique() debido a la recuperación de file_priv. ->master antes de bloquear el mutex maestro del dispositivo. Se puede ver un ejemplo en el informe de fallo del error de use after free encontrado por Syzbot: https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 En el informe, el puntero maestro se utilizó después de ser liberado. Esto se debe a que otro proceso adquirió el mutex maestro del dispositivo en drm_setmaster_ioctl() y luego sobrescribió fpriv->master en drm_new_set_master(). El antiguo valor de fpriv->master se liberó posteriormente antes de que se desbloqueara el mutex. Para solucionar este problema, bloqueamos el mutex maestro del dispositivo antes de recuperar el puntero desde fpriv->master. Este parche pasa la prueba del reproductor Syzbot.
References () https://git.kernel.org/stable/c/17dab9326ff263c62dab1dbac4492e2938a049e4 - () https://git.kernel.org/stable/c/17dab9326ff263c62dab1dbac4492e2938a049e4 -
References () https://git.kernel.org/stable/c/491d52e0078860b33b6c14f0a7ac74ca1b603bd6 - () https://git.kernel.org/stable/c/491d52e0078860b33b6c14f0a7ac74ca1b603bd6 -
References () https://git.kernel.org/stable/c/7d233ba700ceb593905ea82b42dadb4ec8ef85e9 - () https://git.kernel.org/stable/c/7d233ba700ceb593905ea82b42dadb4ec8ef85e9 -
References () https://git.kernel.org/stable/c/b246b4c70c1250e7814f409b243000f9c0bf79a3 - () https://git.kernel.org/stable/c/b246b4c70c1250e7814f409b243000f9c0bf79a3 -
References () https://git.kernel.org/stable/c/b436acd1cf7fac0ba987abd22955d98025c80c2b - () https://git.kernel.org/stable/c/b436acd1cf7fac0ba987abd22955d98025c80c2b -
References () https://git.kernel.org/stable/c/f773f8cccac13c7e7bbd9182e7996c727742488e - () https://git.kernel.org/stable/c/f773f8cccac13c7e7bbd9182e7996c727742488e -

21 May 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-21 15:15

Updated : 2024-12-24 16:31


NVD link : CVE-2021-47280

Mitre link : CVE-2021-47280

CVE.ORG link : CVE-2021-47280


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-416

Use After Free