ghsa-mgvw-6jhh-5c24
Vulnerability from github
Published
2024-03-04 18:30
Modified
2024-03-04 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

hamradio: improve the incomplete fix to avoid NPD

The previous commit 3e0588c291d6 ("hamradio: defer ax25 kfree after unregister_netdev") reorder the kfree operations and unregister_netdev operation to prevent UAF.

This commit improves the previous one by also deferring the nullify of the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs. Partial of the stack trace is shown below.

BUG: kernel NULL pointer dereference, address: 0000000000000538 RIP: 0010:ax_xmit+0x1f9/0x400 ... Call Trace: dev_hard_start_xmit+0xec/0x320 sch_direct_xmit+0xea/0x240 __qdisc_run+0x166/0x5c0 __dev_queue_xmit+0x2c7/0xaf0 ax25_std_establish_data_link+0x59/0x60 ax25_connect+0x3a0/0x500 ? security_socket_connect+0x2b/0x40 __sys_connect+0x96/0xc0 ? __hrtimer_init+0xc0/0xc0 ? common_nsleep+0x2e/0x50 ? switch_fpu_return+0x139/0x1a0 __x64_sys_connect+0x11/0x20 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The crash point is shown as below

static void ax_encaps(...) { ... set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL! ... }

By placing the nullify action after the unregister_netdev, the ax->tty pointer won't be assigned as NULL net_device framework layer is well synchronized.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47085"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-04T18:15:07Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhamradio: improve the incomplete fix to avoid NPD\n\nThe previous commit 3e0588c291d6 (\"hamradio: defer ax25 kfree after\nunregister_netdev\") reorder the kfree operations and unregister_netdev\noperation to prevent UAF.\n\nThis commit improves the previous one by also deferring the nullify of\nthe ax-\u003etty pointer. Otherwise, a NULL pointer dereference bug occurs.\nPartial of the stack trace is shown below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000538\nRIP: 0010:ax_xmit+0x1f9/0x400\n...\nCall Trace:\n dev_hard_start_xmit+0xec/0x320\n sch_direct_xmit+0xea/0x240\n __qdisc_run+0x166/0x5c0\n __dev_queue_xmit+0x2c7/0xaf0\n ax25_std_establish_data_link+0x59/0x60\n ax25_connect+0x3a0/0x500\n ? security_socket_connect+0x2b/0x40\n __sys_connect+0x96/0xc0\n ? __hrtimer_init+0xc0/0xc0\n ? common_nsleep+0x2e/0x50\n ? switch_fpu_return+0x139/0x1a0\n __x64_sys_connect+0x11/0x20\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThe crash point is shown as below\n\nstatic void ax_encaps(...) {\n  ...\n  set_bit(TTY_DO_WRITE_WAKEUP, \u0026ax-\u003etty-\u003eflags); // ax-\u003etty = NULL!\n  ...\n}\n\nBy placing the nullify action after the unregister_netdev, the ax-\u003etty\npointer won\u0027t be assigned as NULL net_device framework layer is well\nsynchronized.",
  "id": "GHSA-mgvw-6jhh-5c24",
  "modified": "2024-03-04T18:30:37Z",
  "published": "2024-03-04T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47085"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03d00f7f1815ec00dab5035851b3de83afd054a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/371a874ea06f147d6ca30be43dad33683965eba6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83ba6ec97c74fb1a60f7779a26b6a94b28741d8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5c6a13e9056d87805ba3042c208fbd4164ad22b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a7b0ae2cc486fcb601f9f9d87d98138cc7b7f7f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2f37aead1b82a770c48b5d583f35ec22aabb61e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.