CVE-2021-47388

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix use-after-free in CCMP/GCMP RX When PN checking is done in mac80211, for fragmentation we need to copy the PN to the RX struct so we can later use it to do a comparison, since commit bf30ca922a0c ("mac80211: check defrag PN against current frame"). Unfortunately, in that commit I used the 'hdr' variable without it being necessarily valid, so use-after-free could occur if it was necessary to reallocate (parts of) the frame. Fix this by reloading the variable after the code that results in the reallocations, if any. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9	Patch
https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78	Patch
https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd	Patch
https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258	Patch
https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32	Patch
https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0	Patch
https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8	Patch
https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb	Patch
https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9	Patch
https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78	Patch
https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd	Patch
https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258	Patch
https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32	Patch
https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0	Patch
https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8	Patch
https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.15:rc1::::::
	cpe:2.3:o:linux:linux_kernel:5.15:rc2::::::
	cpe:2.3:o:linux:linux_kernel:5.15:rc3::::::

History

30 Dec 2024, 20:05

Type	Values Removed	Values Added
First Time		Linux linux Kernel Linux
CPE		cpe:2.3:o:linux:linux_kernel:5.15:rc1:::::: cpe:2.3:o:linux:linux_kernel:5.15:rc3:::::: cpe:2.3:o:linux:linux_kernel:5.15:rc2:::::: cpe:2.3:o:linux:linux_kernel::::::::
CWE		CWE-416
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
References	~~() https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9 -~~	() https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9 - Patch
References	~~() https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78 -~~	() https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78 - Patch
References	~~() https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd -~~	() https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd - Patch
References	~~() https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258 -~~	() https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258 - Patch
References	~~() https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32 -~~	() https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32 - Patch
References	~~() https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0 -~~	() https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0 - Patch
References	~~() https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8 -~~	() https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8 - Patch
References	~~() https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb -~~	() https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb - Patch

21 Nov 2024, 06:36

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mac80211: corrige el use after free en CCMP/GCMP RX. Cuando se realiza la verificación de PN en mac80211, para la fragmentación necesitamos copiar el PN a la estructura RX para poder usarlo más tarde. para hacer una comparación, desde la confirmación bf30ca922a0c ("mac80211: verifique la desfragmentación PN con el marco actual"). Desafortunadamente, en esa confirmación utilicé la variable 'hdr' sin que fuera necesariamente válida, por lo que podría ocurrir un use after free si fuera necesario reasignar (partes de) el marco. Solucione este problema recargando la variable después del código que da como resultado las reasignaciones, si corresponde. Esto corrige https://bugzilla.kernel.org/show_bug.cgi?id=214401.
References	~~() https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9 -~~	() https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9 -
References	~~() https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78 -~~	() https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78 -
References	~~() https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd -~~	() https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd -
References	~~() https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258 -~~	() https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258 -
References	~~() https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32 -~~	() https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32 -
References	~~() https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0 -~~	() https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0 -
References	~~() https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8 -~~	() https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8 -
References	~~() https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb -~~	() https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb -

21 May 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-21 15:15

Updated : 2024-12-30 20:05

NVD link : CVE-2021-47388

Mitre link : CVE-2021-47388

CVE.ORG link : CVE-2021-47388

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2021-47388", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:24.257", "references": [{"url": "https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix use-after-free in CCMP/GCMP RX\n\nWhen PN checking is done in mac80211, for fragmentation we need\nto copy the PN to the RX struct so we can later use it to do a\ncomparison, since commit bf30ca922a0c (\"mac80211: check defrag\nPN against current frame\").\n\nUnfortunately, in that commit I used the 'hdr' variable without\nit being necessarily valid, so use-after-free could occur if it\nwas necessary to reallocate (parts of) the frame.\n\nFix this by reloading the variable after the code that results\nin the reallocations, if any.\n\nThis fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401."}, {"lang": "es", "value": " En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mac80211: corrige el use after free en CCMP/GCMP RX. Cuando se realiza la verificaci\u00f3n de PN en mac80211, para la fragmentaci\u00f3n necesitamos copiar el PN a la estructura RX para poder usarlo m\u00e1s tarde. para hacer una comparaci\u00f3n, desde la confirmaci\u00f3n bf30ca922a0c (\"mac80211: verifique la desfragmentaci\u00f3n PN con el marco actual\"). Desafortunadamente, en esa confirmaci\u00f3n utilic\u00e9 la variable 'hdr' sin que fuera necesariamente v\u00e1lida, por lo que podr\u00eda ocurrir un use after free si fuera necesario reasignar (partes de) el marco. Solucione este problema recargando la variable despu\u00e9s del c\u00f3digo que da como resultado las reasignaciones, si corresponde. Esto corrige https://bugzilla.kernel.org/show_bug.cgi?id=214401."}], "lastModified": "2024-12-30T20:05:07.740", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3798718F-8A7B-4C97-8B85-EA902E299CE5", "versionEndExcluding": "4.4.286", "versionStartIncluding": "4.4.271"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7EF9410E-0AB3-4902-BB1F-809E5D8D3EB9", "versionEndExcluding": "4.9.285", "versionStartIncluding": "4.9.271"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAF50BD1-6DBB-423F-95D8-09FEF61110B9", "versionEndExcluding": "4.14.249", "versionStartIncluding": "4.14.235"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB5D56FB-33D5-47AB-B271-16B2AA4047CD", "versionEndExcluding": "4.19.209", "versionStartIncluding": "4.19.193"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3582105-83A6-44A2-A5FD-A8601682F907", "versionEndExcluding": "5.4.151", "versionStartIncluding": "5.4.124"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E03A7BF-F96F-4146-8E03-D147DC3FDD5D", "versionEndExcluding": "5.10.71", "versionStartIncluding": "5.10.42"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9547C1C-2496-47AE-AE18-BA7E79470606", "versionEndExcluding": "5.14.10", "versionStartIncluding": "5.12.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E46C74C6-B76B-4C94-A6A4-FD2FFF62D644"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60134C3A-06E4-48C1-B04F-2903732A4E56"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0460DA88-8FE1-46A2-9DDA-1F1ABA552E71"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

7.8 /10