cve-2021-47435
Vulnerability from cvelistv5
Published
2024-05-22 06:19
Modified
2024-11-04 12:05
Severity ?
Summary
dm: fix mempool NULL pointer race when completing IO
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47435",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-22T18:48:43.435062Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:13:25.705Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.225Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d35aef9c60d310eff3eaddacce301efe877e2b7c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9e07272cca2ed76f7f6073f4444b1143828c8d87"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ad1393b92e5059218d055bfec8f4946d85ad04c4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d29c78d3f9c5d2604548c1065bf1ec212728ea61"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6e506f07c5b561d673dd0b0d8f7f420cc48024fb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d208b89401e073de986dc891037c5a668f5d5d95"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9fb7cd5c7fef",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "d35aef9c60d3",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "9e07272cca2e",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "ad1393b92e50",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "d29c78d3f9c5",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "6e506f07c5b5",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "d208b89401e0",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.313",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.278",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.242",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.193",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.14.*",
              "status": "unaffected",
              "version": "5.14.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix mempool NULL pointer race when completing IO\n\ndm_io_dec_pending() calls end_io_acct() first and will then dec md\nin-flight pending count. But if a task is swapping DM table at same\ntime this can result in a crash due to mempool-\u003eelements being NULL:\n\ntask1                             task2\ndo_resume\n -\u003edo_suspend\n  -\u003edm_wait_for_completion\n                                  bio_endio\n\t\t\t\t   -\u003eclone_endio\n\t\t\t\t    -\u003edm_io_dec_pending\n\t\t\t\t     -\u003eend_io_acct\n\t\t\t\t      -\u003ewakeup task1\n -\u003edm_swap_table\n  -\u003e__bind\n   -\u003e__bind_mempools\n    -\u003ebioset_exit\n     -\u003emempool_exit\n                                     -\u003efree_io\n\n[ 67.330330] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n......\n[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)\n[ 67.330510] pc : mempool_free+0x70/0xa0\n[ 67.330515] lr : mempool_free+0x4c/0xa0\n[ 67.330520] sp : ffffff8008013b20\n[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004\n[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8\n[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800\n[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800\n[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80\n[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c\n[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd\n[ 67.330563] x15: 000000000093b41e x14: 0000000000000010\n[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555\n[ 67.330574] x11: 0000000000000001 x10: 0000000000000001\n[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000\n[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a\n[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001\n[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8\n[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970\n[ 67.330609] Call trace:\n[ 67.330616] mempool_free+0x70/0xa0\n[ 67.330627] bio_put+0xf8/0x110\n[ 67.330638] dec_pending+0x13c/0x230\n[ 67.330644] clone_endio+0x90/0x180\n[ 67.330649] bio_endio+0x198/0x1b8\n[ 67.330655] dec_pending+0x190/0x230\n[ 67.330660] clone_endio+0x90/0x180\n[ 67.330665] bio_endio+0x198/0x1b8\n[ 67.330673] blk_update_request+0x214/0x428\n[ 67.330683] scsi_end_request+0x2c/0x300\n[ 67.330688] scsi_io_completion+0xa0/0x710\n[ 67.330695] scsi_finish_command+0xd8/0x110\n[ 67.330700] scsi_softirq_done+0x114/0x148\n[ 67.330708] blk_done_softirq+0x74/0xd0\n[ 67.330716] __do_softirq+0x18c/0x374\n[ 67.330724] irq_exit+0xb4/0xb8\n[ 67.330732] __handle_domain_irq+0x84/0xc0\n[ 67.330737] gic_handle_irq+0x148/0x1b0\n[ 67.330744] el1_irq+0xe8/0x190\n[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538\n[ 67.330759] cpuidle_enter_state+0x1fc/0x398\n[ 67.330764] cpuidle_enter+0x18/0x20\n[ 67.330772] do_idle+0x1b4/0x290\n[ 67.330778] cpu_startup_entry+0x20/0x28\n[ 67.330786] secondary_start_kernel+0x160/0x170\n\nFix this by:\n1) Establishing pointers to \u0027struct dm_io\u0027 members in\ndm_io_dec_pending() so that they may be passed into end_io_acct()\n_after_ free_io() is called.\n2) Moving end_io_acct() after free_io()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:05:51.756Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed"
        },
        {
          "url": "https://git.kernel.org/stable/c/d35aef9c60d310eff3eaddacce301efe877e2b7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e07272cca2ed76f7f6073f4444b1143828c8d87"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad1393b92e5059218d055bfec8f4946d85ad04c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d29c78d3f9c5d2604548c1065bf1ec212728ea61"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e506f07c5b561d673dd0b0d8f7f420cc48024fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/d208b89401e073de986dc891037c5a668f5d5d95"
        }
      ],
      "title": "dm: fix mempool NULL pointer race when completing IO",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47435",
    "datePublished": "2024-05-22T06:19:31.562Z",
    "dateReserved": "2024-05-21T14:58:30.830Z",
    "dateUpdated": "2024-11-04T12:05:51.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47435\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-22T07:15:08.790\",\"lastModified\":\"2024-05-22T12:46:53.887\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm: fix mempool NULL pointer race when completing IO\\n\\ndm_io_dec_pending() calls end_io_acct() first and will then dec md\\nin-flight pending count. But if a task is swapping DM table at same\\ntime this can result in a crash due to mempool-\u003eelements being NULL:\\n\\ntask1                             task2\\ndo_resume\\n -\u003edo_suspend\\n  -\u003edm_wait_for_completion\\n                                  bio_endio\\n\\t\\t\\t\\t   -\u003eclone_endio\\n\\t\\t\\t\\t    -\u003edm_io_dec_pending\\n\\t\\t\\t\\t     -\u003eend_io_acct\\n\\t\\t\\t\\t      -\u003ewakeup task1\\n -\u003edm_swap_table\\n  -\u003e__bind\\n   -\u003e__bind_mempools\\n    -\u003ebioset_exit\\n     -\u003emempool_exit\\n                                     -\u003efree_io\\n\\n[ 67.330330] Unable to handle kernel NULL pointer dereference at\\nvirtual address 0000000000000000\\n......\\n[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)\\n[ 67.330510] pc : mempool_free+0x70/0xa0\\n[ 67.330515] lr : mempool_free+0x4c/0xa0\\n[ 67.330520] sp : ffffff8008013b20\\n[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004\\n[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8\\n[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800\\n[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800\\n[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80\\n[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c\\n[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd\\n[ 67.330563] x15: 000000000093b41e x14: 0000000000000010\\n[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555\\n[ 67.330574] x11: 0000000000000001 x10: 0000000000000001\\n[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000\\n[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a\\n[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001\\n[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8\\n[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970\\n[ 67.330609] Call trace:\\n[ 67.330616] mempool_free+0x70/0xa0\\n[ 67.330627] bio_put+0xf8/0x110\\n[ 67.330638] dec_pending+0x13c/0x230\\n[ 67.330644] clone_endio+0x90/0x180\\n[ 67.330649] bio_endio+0x198/0x1b8\\n[ 67.330655] dec_pending+0x190/0x230\\n[ 67.330660] clone_endio+0x90/0x180\\n[ 67.330665] bio_endio+0x198/0x1b8\\n[ 67.330673] blk_update_request+0x214/0x428\\n[ 67.330683] scsi_end_request+0x2c/0x300\\n[ 67.330688] scsi_io_completion+0xa0/0x710\\n[ 67.330695] scsi_finish_command+0xd8/0x110\\n[ 67.330700] scsi_softirq_done+0x114/0x148\\n[ 67.330708] blk_done_softirq+0x74/0xd0\\n[ 67.330716] __do_softirq+0x18c/0x374\\n[ 67.330724] irq_exit+0xb4/0xb8\\n[ 67.330732] __handle_domain_irq+0x84/0xc0\\n[ 67.330737] gic_handle_irq+0x148/0x1b0\\n[ 67.330744] el1_irq+0xe8/0x190\\n[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538\\n[ 67.330759] cpuidle_enter_state+0x1fc/0x398\\n[ 67.330764] cpuidle_enter+0x18/0x20\\n[ 67.330772] do_idle+0x1b4/0x290\\n[ 67.330778] cpu_startup_entry+0x20/0x28\\n[ 67.330786] secondary_start_kernel+0x160/0x170\\n\\nFix this by:\\n1) Establishing pointers to \u0027struct dm_io\u0027 members in\\ndm_io_dec_pending() so that they may be passed into end_io_acct()\\n_after_ free_io() is called.\\n2) Moving end_io_acct() after free_io().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: dm: corrige la ejecuci\u00f3n del puntero NULL de mempool al completar IO dm_io_dec_pending() llama a end_io_acct() primero y luego dec md en vuelo conteo pendiente. Pero si una tarea intercambia la tabla DM al mismo tiempo, esto puede provocar un bloqueo debido a que mempool-\u0026gt;elementos son NULL: tarea1 tarea2 do_resume -\u0026gt;do_suspend -\u0026gt;dm_wait_for_completion bio_endio -\u0026gt;clone_endio -\u0026gt;dm_io_dec_pending -\u0026gt;end_io_acct -\u0026gt;wakeup task1 - \u0026gt;dm_swap_table -\u0026gt;__bind -\u0026gt;__bind_mempools -\u0026gt;bioset_exit -\u0026gt;mempool_exit -\u0026gt;free_io [67.330330] No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 00000000000000000 ...... [67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO ) [67.330510] pc: mempool_free+0x70/0xa0 [67.330515] lr: mempool_free+0x4c/0xa0 [67.330520] sp: ffffff8008013b20 [67.330524] x29: ffffff8008013b20 x28: 000000000000004 [ 67.330530] x27: fffffa8c2ff40a0 x26: 00000000ffff1cc8 [ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 [ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 [ 67.330547] x21: 00000000ffff1cc8 x20: 1304d80 [ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c [ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd [ 67.330563] 000000000093b41e x14: 0000000000000010 [ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 [ 67.330574] x11: 00000000000000001 x10: 0000000000000001 [ 67.330579] x9 : 0000000000000000 x8: 0000000000000000 [67.330585] x7: 0000000000000000 x6: ffffff80148b5c1a [67.330590] x5: ffffff8008013ae0 x4: 000000001 [67.330596] x3: ffffff80080139c8 x2: ffffff801083bab8 [67.330601] x1: 0000000000000000 x0: ffffffdada34c970 [67.330609] Rastreo de llamadas: [67.330616] mempool_free+0x70/0xa0 [67.330627] 8/0x110 [67.330638] dec_pending+0x13c/0x230 [67.330644] clone_endio+0x90/0x180 [ 67.330649] bio_endio+0x198/0x1b8 [ 67.330655] dec_pending+0x190/0x230 [ 67.330660] clone_endio+0x90/0x180 [ 67.330665] bio_endio+0x198/0x1b8 [ 67.330673 ] blk_update_request+0x214/0x428 [ 67.330683] scsi_end_request+0x2c/0x300 [ 67.330688 ] scsi_io_completion+0xa0/0x710 [ 67.330695] scsi_finish_command+0xd8/0x110 [ 67.330700] scsi_softirq_done+0x114/0x148 [ 67.330708] blk_done_softirq+0x74/0xd0 [ 67.3307 16] __do_softirq+0x18c/0x374 [ 67.330724] irq_exit+0xb4/0xb8 [ 67.330732] __handle_domain_irq +0x84/0xc0 [ 67.330737] gic_handle_irq+0x148/0x1b0 [ 67.330744] el1_irq+0xe8/0x190 [ 67.330753] lpm_cpuidle_enter+0x4f8/0x538 [ 67.330759] +0x1fc/0x398 [ 67.330764] cpuidle_enter+0x18/0x20 [ 67.330772] do_idle+0x1b4 /0x290 [ 67.330778] cpu_startup_entry+0x20/0x28 [ 67.330786] second_start_kernel+0x160/0x170 Solucione este problema de la siguiente manera: 1) Estableciendo punteros a los miembros \u0027struct dm_io\u0027 en dm_io_dec_pending() para que puedan pasarse a end_io_acct() _despu\u00e9s_ free_io() se llama. 2) Mover end_io_acct() despu\u00e9s de free_io().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6e506f07c5b561d673dd0b0d8f7f420cc48024fb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9e07272cca2ed76f7f6073f4444b1143828c8d87\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ad1393b92e5059218d055bfec8f4946d85ad04c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d208b89401e073de986dc891037c5a668f5d5d95\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d29c78d3f9c5d2604548c1065bf1ec212728ea61\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d35aef9c60d310eff3eaddacce301efe877e2b7c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.