cve-2021-46933
Vulnerability from cvelistv5
Published
2024-02-27 09:44
Modified
2024-12-19 07:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
ffs_ep0_release, so it ends up being called twice when userland closes ep0
and then unmounts f_fs.
If userland provided an eventfd along with function's USB descriptors, it
ends up calling eventfd_ctx_put as many times, causing a refcount
underflow.
NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.
Also, set epfiles to NULL right after de-allocating it, for readability.
For completeness, ffs_data_clear actually ends up being called thrice, the
last call being before the whole ffs structure gets freed, so when this
specific sequence happens there is a second underflow happening (but not
being reported):
/sys/kernel/debug/tracing# modprobe usb_f_fs
/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
/sys/kernel/debug/tracing# echo function > current_tracer
/sys/kernel/debug/tracing# echo 1 > tracing_on
(setup gadget, run and kill function userland process, teardown gadget)
/sys/kernel/debug/tracing# echo 0 > tracing_on
/sys/kernel/debug/tracing# cat trace
smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed
smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed
smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put
Warning output corresponding to above trace:
[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
[ 1946.293094] refcount_t: underflow; use-after-free.
[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1
[ 1946.417950] Hardware name: BCM2835
[ 1946.425442] Backtrace:
[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
[ 1946.482067] r5:c04a948c r4:c0a71dc8
[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
[ 1946.582664] r5:c3b84c00 r4:c2695b00
[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
[ 1946.609608] r5:bf54d014 r4:c2695b00
[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
[ 1946.636217] r7:c0dfcb
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 Version: 5e33f6fdf735cda1d4580fe6f1878da05718fe73 |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-46933", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-27T15:36:00.689438Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-05T17:21:03.979Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:43.071Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/gadget/function/f_fs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f976dd7011150244a7ba820f2c331e9fb253befa", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "cc8c8028c21b2a3842a1e98e99e55028df275919", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "52500239e3f2d6fc77b6f58632a9fb98fe74ac09", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "33f6a0cbb7772146e1c11f38028fffbfed14728b", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "240fc586e83d645912accce081a48aa63a45f6ee", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "1c4ace3e6b8575745c50dca9e76e0021e697d645", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "ebef2aa29f370b5096c16020c104e393192ef684", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" }, { "lessThan": "b1e0887379422975f237d43d8839b751a6bcf154", "status": "affected", "version": "5e33f6fdf735cda1d4580fe6f1878da05718fe73", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/gadget/function/f_fs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.0" }, { "lessThan": "4.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.4.*", "status": "unaffected", "version": "4.4.298", "versionType": "semver" }, { "lessThanOrEqual": "4.9.*", "status": "unaffected", "version": "4.9.296", "versionType": "semver" }, { "lessThanOrEqual": "4.14.*", "status": "unaffected", "version": "4.14.261", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.224", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.170", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.90", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.13", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.\n\nffs_data_clear is indirectly called from both ffs_fs_kill_sb and\nffs_ep0_release, so it ends up being called twice when userland closes ep0\nand then unmounts f_fs.\nIf userland provided an eventfd along with function\u0027s USB descriptors, it\nends up calling eventfd_ctx_put as many times, causing a refcount\nunderflow.\nNULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.\n\nAlso, set epfiles to NULL right after de-allocating it, for readability.\n\nFor completeness, ffs_data_clear actually ends up being called thrice, the\nlast call being before the whole ffs structure gets freed, so when this\nspecific sequence happens there is a second underflow happening (but not\nbeing reported):\n\n/sys/kernel/debug/tracing# modprobe usb_f_fs\n/sys/kernel/debug/tracing# echo ffs_data_clear \u003e set_ftrace_filter\n/sys/kernel/debug/tracing# echo function \u003e current_tracer\n/sys/kernel/debug/tracing# echo 1 \u003e tracing_on\n(setup gadget, run and kill function userland process, teardown gadget)\n/sys/kernel/debug/tracing# echo 0 \u003e tracing_on\n/sys/kernel/debug/tracing# cat trace\n smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear \u003c-ffs_data_closed\n smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear \u003c-ffs_data_closed\n smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear \u003c-ffs_data_put\n\nWarning output corresponding to above trace:\n[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c\n[ 1946.293094] refcount_t: underflow; use-after-free.\n[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)\n[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1\n[ 1946.417950] Hardware name: BCM2835\n[ 1946.425442] Backtrace:\n[ 1946.432048] [\u003cc08d60a0\u003e] (dump_backtrace) from [\u003cc08d62ec\u003e] (show_stack+0x20/0x24)\n[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c\n[ 1946.458412] [\u003cc08d62cc\u003e] (show_stack) from [\u003cc08d9ae0\u003e] (dump_stack+0x28/0x30)\n[ 1946.470380] [\u003cc08d9ab8\u003e] (dump_stack) from [\u003cc0123500\u003e] (__warn+0xe8/0x154)\n[ 1946.482067] r5:c04a948c r4:c0a71dc8\n[ 1946.490184] [\u003cc0123418\u003e] (__warn) from [\u003cc08d6948\u003e] (warn_slowpath_fmt+0xa0/0xe4)\n[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04\n[ 1946.517070] [\u003cc08d68ac\u003e] (warn_slowpath_fmt) from [\u003cc04a948c\u003e] (refcount_warn_saturate+0x110/0x15c)\n[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0\n[ 1946.546708] [\u003cc04a937c\u003e] (refcount_warn_saturate) from [\u003cc0380134\u003e] (eventfd_ctx_put+0x48/0x74)\n[ 1946.564476] [\u003cc03800ec\u003e] (eventfd_ctx_put) from [\u003cbf5464e8\u003e] (ffs_data_clear+0xd0/0x118 [usb_f_fs])\n[ 1946.582664] r5:c3b84c00 r4:c2695b00\n[ 1946.590668] [\u003cbf546418\u003e] (ffs_data_clear [usb_f_fs]) from [\u003cbf547cc0\u003e] (ffs_data_closed+0x9c/0x150 [usb_f_fs])\n[ 1946.609608] r5:bf54d014 r4:c2695b00\n[ 1946.617522] [\u003cbf547c24\u003e] (ffs_data_closed [usb_f_fs]) from [\u003cbf547da0\u003e] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])\n[ 1946.636217] r7:c0dfcb\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:32:05.163Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa" }, { "url": "https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919" }, { "url": "https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09" }, { "url": "https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b" }, { "url": "https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee" }, { "url": "https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645" }, { "url": "https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684" }, { "url": "https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154" } ], "title": "usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46933", "datePublished": "2024-02-27T09:44:00.758Z", "dateReserved": "2024-02-25T13:45:52.720Z", "dateUpdated": "2024-12-19T07:32:05.163Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-46933\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-27T10:15:07.807\",\"lastModified\":\"2024-11-21T06:34:57.927\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.\\n\\nffs_data_clear is indirectly called from both ffs_fs_kill_sb and\\nffs_ep0_release, so it ends up being called twice when userland closes ep0\\nand then unmounts f_fs.\\nIf userland provided an eventfd along with function\u0027s USB descriptors, it\\nends up calling eventfd_ctx_put as many times, causing a refcount\\nunderflow.\\nNULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.\\n\\nAlso, set epfiles to NULL right after de-allocating it, for readability.\\n\\nFor completeness, ffs_data_clear actually ends up being called thrice, the\\nlast call being before the whole ffs structure gets freed, so when this\\nspecific sequence happens there is a second underflow happening (but not\\nbeing reported):\\n\\n/sys/kernel/debug/tracing# modprobe usb_f_fs\\n/sys/kernel/debug/tracing# echo ffs_data_clear \u003e set_ftrace_filter\\n/sys/kernel/debug/tracing# echo function \u003e current_tracer\\n/sys/kernel/debug/tracing# echo 1 \u003e tracing_on\\n(setup gadget, run and kill function userland process, teardown gadget)\\n/sys/kernel/debug/tracing# echo 0 \u003e tracing_on\\n/sys/kernel/debug/tracing# cat trace\\n smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear \u003c-ffs_data_closed\\n smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear \u003c-ffs_data_closed\\n smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear \u003c-ffs_data_put\\n\\nWarning output corresponding to above trace:\\n[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c\\n[ 1946.293094] refcount_t: underflow; use-after-free.\\n[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)\\n[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1\\n[ 1946.417950] Hardware name: BCM2835\\n[ 1946.425442] Backtrace:\\n[ 1946.432048] [\u003cc08d60a0\u003e] (dump_backtrace) from [\u003cc08d62ec\u003e] (show_stack+0x20/0x24)\\n[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c\\n[ 1946.458412] [\u003cc08d62cc\u003e] (show_stack) from [\u003cc08d9ae0\u003e] (dump_stack+0x28/0x30)\\n[ 1946.470380] [\u003cc08d9ab8\u003e] (dump_stack) from [\u003cc0123500\u003e] (__warn+0xe8/0x154)\\n[ 1946.482067] r5:c04a948c r4:c0a71dc8\\n[ 1946.490184] [\u003cc0123418\u003e] (__warn) from [\u003cc08d6948\u003e] (warn_slowpath_fmt+0xa0/0xe4)\\n[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04\\n[ 1946.517070] [\u003cc08d68ac\u003e] (warn_slowpath_fmt) from [\u003cc04a948c\u003e] (refcount_warn_saturate+0x110/0x15c)\\n[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0\\n[ 1946.546708] [\u003cc04a937c\u003e] (refcount_warn_saturate) from [\u003cc0380134\u003e] (eventfd_ctx_put+0x48/0x74)\\n[ 1946.564476] [\u003cc03800ec\u003e] (eventfd_ctx_put) from [\u003cbf5464e8\u003e] (ffs_data_clear+0xd0/0x118 [usb_f_fs])\\n[ 1946.582664] r5:c3b84c00 r4:c2695b00\\n[ 1946.590668] [\u003cbf546418\u003e] (ffs_data_clear [usb_f_fs]) from [\u003cbf547cc0\u003e] (ffs_data_closed+0x9c/0x150 [usb_f_fs])\\n[ 1946.609608] r5:bf54d014 r4:c2695b00\\n[ 1946.617522] [\u003cbf547c24\u003e] (ffs_data_closed [usb_f_fs]) from [\u003cbf547da0\u003e] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])\\n[ 1946.636217] r7:c0dfcb\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: usb: gadget: f_fs: Borrar ffs_eventfd en ffs_data_clear. ffs_data_clear se llama indirectamente desde ffs_fs_kill_sb y ffs_ep0_release, por lo que termina siendo llamado dos veces cuando el \u00e1rea de usuario cierra ep0 y luego desmonta f_fs. Si Userland proporcion\u00f3 un eventfd junto con los descriptores USB de la funci\u00f3n, termina llamando a eventfd_ctx_put tantas veces, provocando un desbordamiento insuficiente de recuento. NULL-ify ffs_eventfd para evitar estas llamadas extra\u00f1as eventfd_ctx_put. Adem\u00e1s, establezca epfiles en NULL justo despu\u00e9s de desasignarlo, para facilitar la lectura. Para completar, ffs_data_clear en realidad termina siendo llamado tres veces, la \u00faltima llamada es antes de que se libere toda la estructura de ffs, por lo que cuando ocurre esta secuencia espec\u00edfica, se produce un segundo desbordamiento insuficiente (pero no se informa): /sys/kernel/debug/tracing # modprobe usb_f_fs /sys/kernel/debug/tracing# echo ffs_data_clear \u0026gt; set_ftrace_filter /sys/kernel/debug/tracing# echo function \u0026gt; current_tracer /sys/kernel/debug/tracing# echo 1 \u0026gt; tracing_on (dispositivo de configuraci\u00f3n, funci\u00f3n ejecutar y finalizar proceso de usuario, dispositivo de desmontaje) /sys/kernel/debug/tracing# echo 0 \u0026gt; tracing_on /sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear \u0026lt;-ffs_data_closed tarjeta inteligente -openp-431 [000] ..... 1946.279147: ffs_data_clear \u0026lt;-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear \u0026lt;-ffs_data_put Salida de advertencia correspondiente al seguimiento anterior: [ 1946.284139] ADVERTENCIA: CPU : 0 PID: 431 en lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c [ 1946.293094] refcount_t: desbordamiento insuficiente; use-after-free. [1946.298164] M\u00f3dulos vinculados en: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E ) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_b cm2835 (CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E ) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c (E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E ) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) [ 1946.399633] CPU: 0 PID: 431 Comm: tarjeta inteligente- openp Contaminado: GC OE 5.15.0-1-rpi #1 Debian 5.15.3-1 [ 1946.417950] Nombre de hardware: BCM2835 [ 1946.425442] Seguimiento inverso: [ 1946.432048] [] (dump_backtrace) de [] ( show_stack+0x20/0x24) [ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c [ 1946.458412] [] (show_stack) de [] (dump_ pila+0x28/0x30) [ 1946.470380] [\u0026lt; c08d9ab8\u0026gt;] (dump_stack) de [] (__warn+0xe8/0x154) [ 1946.482067] r5:c04a948c r4:c0a71dc8 [ 1946.490184] [] (__warn) de [] (warn_slowpath_fmt+0xa0/ 0xe4) [ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 [ 1946.517070] [] (warn_slowpath_fmt) de [] (refcount_war n_saturado+0x110/0x15c) [ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 [ 1946.546708] [] (refcount_warn_saturate) de [] (eventfd_ctx_put+0x48/0x74) [ 1946.564476] [] (eventfd_ctx_put) de [] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) [ 1946.582664] r5:c3b84c00 r4:c2695b00 [ 1946.590668] [] (ffs_data_clear [usb_f_fs]) de [] ( ffs_data_closed+0x9c/0x150 [usb_f_fs]) [ 1946.609608] r5:bf54d014 r4:c2695b00 [ 1946.617522] [] (ffs_data_closed [usb_f_fs\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.4.298\",\"matchCriteriaId\":\"C01E3FB6-531E-4ABC-BF95-6FADD48AE7E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.5.0\",\"versionEndExcluding\":\"4.9.296\",\"matchCriteriaId\":\"883CB22B-11DA-4D54-8121-3F5494EDBD4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10.0\",\"versionEndExcluding\":\"4.14.261\",\"matchCriteriaId\":\"B5D4F856-5F69-4F4A-911F-50A21B9A68B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.15.0\",\"versionEndExcluding\":\"4.19.224\",\"matchCriteriaId\":\"B34A1353-506A-4AB9-87EC-CD50F09DFB8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20.0\",\"versionEndExcluding\":\"5.4.170\",\"matchCriteriaId\":\"56D16FBB-453E-4316-A027-E517828203D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5.0\",\"versionEndExcluding\":\"5.10.90\",\"matchCriteriaId\":\"C87FB3FD-3E74-4588-A1A4-B9BA8AE0C06B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11.0\",\"versionEndExcluding\":\"5.15.13\",\"matchCriteriaId\":\"083E0940-932B-447B-A6B2-677DAE27FD04\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.