FKIE_CVE-2021-47388

Vulnerability from fkie_nvd - Published: 2024-05-21 15:15 - Updated: 2024-12-30 20:05
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix use-after-free in CCMP/GCMP RX When PN checking is done in mac80211, for fragmentation we need to copy the PN to the RX struct so we can later use it to do a comparison, since commit bf30ca922a0c ("mac80211: check defrag PN against current frame"). Unfortunately, in that commit I used the 'hdr' variable without it being necessarily valid, so use-after-free could occur if it was necessary to reallocate (parts of) the frame. Fix this by reloading the variable after the code that results in the reallocations, if any. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4ddPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbbPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4ddPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbbPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.15
linux linux_kernel 5.15
linux linux_kernel 5.15
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3798718F-8A7B-4C97-8B85-EA902E299CE5",
              "versionEndExcluding": "4.4.286",
              "versionStartIncluding": "4.4.271",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EF9410E-0AB3-4902-BB1F-809E5D8D3EB9",
              "versionEndExcluding": "4.9.285",
              "versionStartIncluding": "4.9.271",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FAF50BD1-6DBB-423F-95D8-09FEF61110B9",
              "versionEndExcluding": "4.14.249",
              "versionStartIncluding": "4.14.235",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB5D56FB-33D5-47AB-B271-16B2AA4047CD",
              "versionEndExcluding": "4.19.209",
              "versionStartIncluding": "4.19.193",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3582105-83A6-44A2-A5FD-A8601682F907",
              "versionEndExcluding": "5.4.151",
              "versionStartIncluding": "5.4.124",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E03A7BF-F96F-4146-8E03-D147DC3FDD5D",
              "versionEndExcluding": "5.10.71",
              "versionStartIncluding": "5.10.42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A9547C1C-2496-47AE-AE18-BA7E79470606",
              "versionEndExcluding": "5.14.10",
              "versionStartIncluding": "5.12.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E46C74C6-B76B-4C94-A6A4-FD2FFF62D644",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "60134C3A-06E4-48C1-B04F-2903732A4E56",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "0460DA88-8FE1-46A2-9DDA-1F1ABA552E71",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix use-after-free in CCMP/GCMP RX\n\nWhen PN checking is done in mac80211, for fragmentation we need\nto copy the PN to the RX struct so we can later use it to do a\ncomparison, since commit bf30ca922a0c (\"mac80211: check defrag\nPN against current frame\").\n\nUnfortunately, in that commit I used the \u0027hdr\u0027 variable without\nit being necessarily valid, so use-after-free could occur if it\nwas necessary to reallocate (parts of) the frame.\n\nFix this by reloading the variable after the code that results\nin the reallocations, if any.\n\nThis fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401."
    },
    {
      "lang": "es",
      "value": " En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mac80211: corrige el use after free en CCMP/GCMP RX. Cuando se realiza la verificaci\u00f3n de PN en mac80211, para la fragmentaci\u00f3n necesitamos copiar el PN a la estructura RX para poder usarlo m\u00e1s tarde. para hacer una comparaci\u00f3n, desde la confirmaci\u00f3n bf30ca922a0c (\"mac80211: verifique la desfragmentaci\u00f3n PN con el marco actual\"). Desafortunadamente, en esa confirmaci\u00f3n utilic\u00e9 la variable \u0027hdr\u0027 sin que fuera necesariamente v\u00e1lida, por lo que podr\u00eda ocurrir un use after free si fuera necesario reasignar (partes de) el marco. Solucione este problema recargando la variable despu\u00e9s del c\u00f3digo que da como resultado las reasignaciones, si corresponde. Esto corrige https://bugzilla.kernel.org/show_bug.cgi?id=214401."
    }
  ],
  "id": "CVE-2021-47388",
  "lastModified": "2024-12-30T20:05:07.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-05-21T15:15:24.257",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/27d3eb5616ee2c0a3b30c3fa34813368ed1f3dc9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/31de381aef0ab1b342f62485118dc8a19363dc78"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3d5d629c99c468458022e9b381789de3595bf4dd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/447d001b875d0e7f211c4ba004916028da994258"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/50149e0866a82cef33e680ee68dc380a5bc75d32"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/57de2dcb18742dc2860861c9f496da7d42b67da0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/94513069eb549737bcfc3d988d6ed4da948a2de8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f556e1d6fb9f2923a9a36f3df638c7d79ba09dbb"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.