CVE-2021-47082
Vulnerability from cvelistv5
Published
2024-03-04 18:06
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: avoid double free in tun_free_netdev
Avoid double free in tun_free_netdev() by moving the
dev->tstats and tun->security allocs to a new ndo_init routine
(tun_net_init()) that will be called by register_netdevice().
ndo_init is paired with the desctructor (tun_free_netdev()),
so if there's an error in register_netdevice() the destructor
will handle the frees.
BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1
Hardware name: Red Hat KVM, BIOS
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247
kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372
____kasan_slab_free mm/kasan/common.c:346 [inline]
__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1723 [inline]
slab_free_freelist_hook mm/slub.c:1749 [inline]
slab_free mm/slub.c:3513 [inline]
kfree+0xac/0x2d0 mm/slub.c:4561
selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
security_tun_dev_free_security+0x4f/0x90 security/security.c:2342
tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215
netdev_run_todo+0x4df/0x840 net/core/dev.c:10627
rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112
__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302
tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47082", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-05T16:05:48.438280Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:14:25.499Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.695Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/tun.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8eb43d635950e27c29f1e9e49a23b31637f37757", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0c0e566f0387490d16f166808c72e9c772027681", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a01a4e9f5dc93335c716fa4023b1901956e8c904", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "158b515f703e75e7d68289bf4d98c664e1d632df", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/tun.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.280", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.240", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.136", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.12", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: avoid double free in tun_free_netdev\n\nAvoid double free in tun_free_netdev() by moving the\ndev-\u003etstats and tun-\u003esecurity allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there\u0027s an error in register_netdevice() the destructor\nwill handle the frees.\n\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\n\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:55.023Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757" }, { "url": "https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681" }, { "url": "https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904" }, { "url": "https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5" }, { "url": "https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df" } ], "title": "tun: avoid double free in tun_free_netdev", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47082", "datePublished": "2024-03-04T18:06:17.081Z", "dateReserved": "2024-02-29T22:33:44.298Z", "dateUpdated": "2024-12-19T07:34:55.023Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-47082\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-04T18:15:07.120\",\"lastModified\":\"2024-11-21T06:35:21.873\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntun: avoid double free in tun_free_netdev\\n\\nAvoid double free in tun_free_netdev() by moving the\\ndev-\u003etstats and tun-\u003esecurity allocs to a new ndo_init routine\\n(tun_net_init()) that will be called by register_netdevice().\\nndo_init is paired with the desctructor (tun_free_netdev()),\\nso if there\u0027s an error in register_netdevice() the destructor\\nwill handle the frees.\\n\\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\\n\\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\\nHardware name: Red Hat KVM, BIOS\\nCall Trace:\\n\u003cTASK\u003e\\n__dump_stack lib/dump_stack.c:88 [inline]\\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\\n____kasan_slab_free mm/kasan/common.c:346 [inline]\\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\\nkasan_slab_free include/linux/kasan.h:235 [inline]\\nslab_free_hook mm/slub.c:1723 [inline]\\nslab_free_freelist_hook mm/slub.c:1749 [inline]\\nslab_free mm/slub.c:3513 [inline]\\nkfree+0xac/0x2d0 mm/slub.c:4561\\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\\nvfs_ioctl fs/ioctl.c:51 [inline]\\n__do_sys_ioctl fs/ioctl.c:874 [inline]\\n__se_sys_ioctl fs/ioctl.c:860 [inline]\\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\\nentry_SYSCALL_64_after_hwframe+0x44/0xae\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tun: evita la doble liberaci\u00f3n en tun_free_netdev Evita la doble liberaci\u00f3n en tun_free_netdev() moviendo las asignaciones dev-\u0026gt;tstats y tun-\u0026gt;security a una nueva rutina ndo_init (tun_net_init()) que ser\u00e1 llamado por Register_netdevice(). ndo_init est\u00e1 emparejado con el destructor (tun_free_netdev()), por lo que si hay un error en Register_netdevice() el destructor manejar\u00e1 las liberaciones. ERROR: KASAN: doble liberaci\u00f3n o no v\u00e1lido en selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 CPU: 0 PID: 25750 Comm: syz-executor416 No contaminado 5.16.0-rc2-syzk #1 Nombre de hardware : Red Hat KVM, seguimiento de llamadas de BIOS: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report. c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 ____kasan_slab_free mm/kasan/common.c:346 [en l\u00ednea] __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan .h:235 [en l\u00ednea] slab_free_hook mm/slub.c:1723 [en l\u00ednea] slab_free_freelist_hook mm/slub.c:1749 [en l\u00ednea] slab_free mm/slub.c:3513 [en l\u00ednea] kfree+0xac/0x2d0 mm/slub.c :4561 selinux_tun_dev_free_security+0x1a/0x20 seguridad/selinux/hooks.c:5605 seguridad_tun_dev_free_security+0x4f/0x90 seguridad/seguridad.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/ n\u00facleo /dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs /ioctl.c:51 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:874 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:860 [en l\u00ednea] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/ common.c:50 [en l\u00ednea] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.