FKIE_CVE-2021-47281

Vulnerability from fkie_nvd - Published: 2024-05-21 15:15 - Updated: 2024-12-24 16:30
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: Fix race of snd_seq_timer_open() The timer instance per queue is exclusive, and snd_seq_timer_open() should have managed the concurrent accesses. It looks as if it's checking the already existing timer instance at the beginning, but it's not right, because there is no protection, hence any later concurrent call of snd_seq_timer_open() may override the timer instance easily. This may result in UAF, as the leftover timer instance can keep running while the queue itself gets closed, as spotted by syzkaller recently. For avoiding the race, add a proper check at the assignment of tmr->timeri again, and return -EBUSY if it's been already registered.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166baPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166baPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.13
linux linux_kernel 5.13
linux linux_kernel 5.13
linux linux_kernel 5.13
linux linux_kernel 5.13
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "021FCB31-DA9C-4E32-BAE6-E72DDA486D8C",
              "versionEndExcluding": "5.10.44",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F914A757-FAFD-407E-9031-21F66635D5EA",
              "versionEndExcluding": "5.12.11",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "1ECD33F5-85BE-430B-8F86-8D7BD560311D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "CF351855-2437-4CF5-AD7C-BDFA51F27683",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: Fix race of snd_seq_timer_open()\n\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses.  It looks as if it\u0027s\nchecking the already existing timer instance at the beginning, but\nit\u0027s not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily.  This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\n\nFor avoiding the race, add a proper check at the assignment of\ntmr-\u003etimeri again, and return -EBUSY if it\u0027s been already registered."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: ALSA: seq: Fix race of snd_seq_timer_open(). La instancia del temporizador por cola es exclusiva, y snd_seq_timer_open() deber\u00eda haber gestionado los accesos concurrentes. Parece como si estuviera verificando la instancia del temporizador ya existente al principio, pero no es correcto, porque no hay protecci\u00f3n, por lo tanto, cualquier llamada simult\u00e1nea posterior a snd_seq_timer_open() puede anular la instancia del temporizador f\u00e1cilmente. Esto puede resultar en UAF, ya que la instancia del temporizador sobrante puede seguir ejecut\u00e1ndose mientras la cola se cierra, como descubri\u00f3 syzkaller recientemente. Para evitar la ejecuci\u00f3n, agregue una verificaci\u00f3n adecuada en la asignaci\u00f3n de tmr-\u0026gt;timeri nuevamente y devuelva -EBUSY si ya se registr\u00f3."
    }
  ],
  "id": "CVE-2021-47281",
  "lastModified": "2024-12-24T16:30:22.490",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-05-21T15:15:16.353",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.