CVE-2021-47634 (GCVE-0-2021-47634)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 12:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
Hulk Robot reported a KASAN report about use-after-free:
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160
Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385
[...]
Call Trace:
klist_dec_and_del+0xa7/0x4a0
klist_put+0xc7/0x1a0
device_del+0x4d4/0xed0
cdev_device_del+0x1a/0x80
ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]
ctrl_cdev_ioctl+0x286/0x2f0 [ubi]
Allocated by task 1414:
device_add+0x60a/0x18b0
cdev_device_add+0x103/0x170
ubi_create_volume+0x1118/0x1a10 [ubi]
ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]
Freed by task 1385:
cdev_device_del+0x1a/0x80
ubi_remove_volume+0x438/0x6c0 [ubi]
ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]
[...]
==================================================================
The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held
by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be
concurrent.
ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.
ubi_detach is bug-free because it uses reference counting to prevent
concurrency. However, uif_init and uif_close in ubi_attach may race with
ubi_cdev_ioctl.
uif_init will race with ubi_cdev_ioctl as in the following stack.
cpu1 cpu2 cpu3
_______________________|________________________|______________________
ctrl_cdev_ioctl
ubi_attach_mtd_dev
uif_init
ubi_cdev_ioctl
ubi_create_volume
cdev_device_add
ubi_add_volume
// sysfs exist
kill_volumes
ubi_cdev_ioctl
ubi_remove_volume
cdev_device_del
// first free
ubi_free_volume
cdev_del
// double free
cdev_device_del
And uif_close will race with ubi_cdev_ioctl as in the following stack.
cpu1 cpu2 cpu3
_______________________|________________________|______________________
ctrl_cdev_ioctl
ubi_attach_mtd_dev
uif_init
ubi_cdev_ioctl
ubi_create_volume
cdev_device_add
ubi_debugfs_init_dev
//error goto out_uif;
uif_close
kill_volumes
ubi_cdev_ioctl
ubi_remove_volume
cdev_device_del
// first free
ubi_free_volume
// double free
The cause of this problem is that commit 714fb87e8bc0 make device
"available" before it becomes accessible via sysfs. Therefore, we
roll back the modification. We will fix the race condition between
ubi device creation and udev by removing ubi_get_device in
vol_attribute_show and dev_attribute_show.This avoids accessing
uninitialized ubi_devices[ubi_num].
ubi_get_device is used to prevent devices from being deleted during
sysfs execution. However, now kernfs ensures that devices will not
be deleted before all reference counting are released.
The key process is shown in the following stack.
device_del
device_remove_attrs
device_remove_groups
sysfs_remove_groups
sysfs_remove_group
remove_files
kernfs_remove_by_name
kernfs_remove_by_name_ns
__kernfs_remove
kernfs_drain
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 714fb87e8bc05ff78255afc0dca981e8c5242785 Version: 714fb87e8bc05ff78255afc0dca981e8c5242785 Version: 714fb87e8bc05ff78255afc0dca981e8c5242785 Version: 714fb87e8bc05ff78255afc0dca981e8c5242785 Version: 714fb87e8bc05ff78255afc0dca981e8c5242785 Version: 714fb87e8bc05ff78255afc0dca981e8c5242785 Version: 714fb87e8bc05ff78255afc0dca981e8c5242785 Version: 714fb87e8bc05ff78255afc0dca981e8c5242785 Version: 016820bde3f0895d09fcad370415085ba0d1bd4a Version: 12f567db822241090b90c5645ea9146f6cf8fa42 Version: 31b0fca8ab9b9786fe6e5027c4a8587b47db5abf Version: 6117840dec60344167038f9511c3770d4c096eaa Version: bd7d3de27e7e1acce2e276074a498a82e0834663 Version: cdf25333b42fb889f086ef65d0734d0dbdc49f4e Version: ae32d1b98ba29408df87c0ed47877ca0f248eae7 Version: 4056337b1e81a1b137aa562133dc5430cd2fd19e Version: f3db4c640b32485105554e0bfd16bbde585f6fb0 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-47634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:17:56.634866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:36.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/ubi/build.c",
"drivers/mtd/ubi/vmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f149b1bd213820363731aa119e5011ca892a2aac",
"status": "affected",
"version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
"versionType": "git"
},
{
"lessThan": "a8ecee49259f8f78d91ddb329ab2be7e6fd01974",
"status": "affected",
"version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
"versionType": "git"
},
{
"lessThan": "d727fd32cbd1abf3465f607021bc9c746f17b5a8",
"status": "affected",
"version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
"versionType": "git"
},
{
"lessThan": "432b057f8e847ae5a2306515606f8d2defaca178",
"status": "affected",
"version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
"versionType": "git"
},
{
"lessThan": "1a3f1cf87054833242fcd0218de0481cf855f888",
"status": "affected",
"version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
"versionType": "git"
},
{
"lessThan": "c32fe764191b8ae8b128588beb96e3718d9179d8",
"status": "affected",
"version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
"versionType": "git"
},
{
"lessThan": "5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b",
"status": "affected",
"version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
"versionType": "git"
},
{
"lessThan": "3cbf0e392f173ba0ce425968c8374a6aa3e90f2e",
"status": "affected",
"version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
"versionType": "git"
},
{
"status": "affected",
"version": "016820bde3f0895d09fcad370415085ba0d1bd4a",
"versionType": "git"
},
{
"status": "affected",
"version": "12f567db822241090b90c5645ea9146f6cf8fa42",
"versionType": "git"
},
{
"status": "affected",
"version": "31b0fca8ab9b9786fe6e5027c4a8587b47db5abf",
"versionType": "git"
},
{
"status": "affected",
"version": "6117840dec60344167038f9511c3770d4c096eaa",
"versionType": "git"
},
{
"status": "affected",
"version": "bd7d3de27e7e1acce2e276074a498a82e0834663",
"versionType": "git"
},
{
"status": "affected",
"version": "cdf25333b42fb889f086ef65d0734d0dbdc49f4e",
"versionType": "git"
},
{
"status": "affected",
"version": "ae32d1b98ba29408df87c0ed47877ca0f248eae7",
"versionType": "git"
},
{
"status": "affected",
"version": "4056337b1e81a1b137aa562133dc5430cd2fd19e",
"versionType": "git"
},
{
"status": "affected",
"version": "f3db4c640b32485105554e0bfd16bbde585f6fb0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/ubi/build.c",
"drivers/mtd/ubi/vmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.276",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.238",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.189",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.110",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\n\nHulk Robot reported a KASAN report about use-after-free:\n ==================================================================\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\n [...]\n Call Trace:\n klist_dec_and_del+0xa7/0x4a0\n klist_put+0xc7/0x1a0\n device_del+0x4d4/0xed0\n cdev_device_del+0x1a/0x80\n ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\n ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\n\n Allocated by task 1414:\n device_add+0x60a/0x18b0\n cdev_device_add+0x103/0x170\n ubi_create_volume+0x1118/0x1a10 [ubi]\n ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\n\n Freed by task 1385:\n cdev_device_del+0x1a/0x80\n ubi_remove_volume+0x438/0x6c0 [ubi]\n ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\n [...]\n ==================================================================\n\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\nby ubi_cdev_ioctl is ubi-\u003edevice_mutex. Therefore, the two locks can be\nconcurrent.\n\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\nubi_detach is bug-free because it uses reference counting to prevent\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\nubi_cdev_ioctl.\n\nuif_init will race with ubi_cdev_ioctl as in the following stack.\n cpu1 cpu2 cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n uif_init\n ubi_cdev_ioctl\n ubi_create_volume\n cdev_device_add\n ubi_add_volume\n // sysfs exist\n kill_volumes\n ubi_cdev_ioctl\n ubi_remove_volume\n cdev_device_del\n // first free\n ubi_free_volume\n cdev_del\n // double free\n cdev_device_del\n\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\n cpu1 cpu2 cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n uif_init\n ubi_cdev_ioctl\n ubi_create_volume\n cdev_device_add\n ubi_debugfs_init_dev\n //error goto out_uif;\n uif_close\n kill_volumes\n ubi_cdev_ioctl\n ubi_remove_volume\n cdev_device_del\n // first free\n ubi_free_volume\n // double free\n\nThe cause of this problem is that commit 714fb87e8bc0 make device\n\"available\" before it becomes accessible via sysfs. Therefore, we\nroll back the modification. We will fix the race condition between\nubi device creation and udev by removing ubi_get_device in\nvol_attribute_show and dev_attribute_show.This avoids accessing\nuninitialized ubi_devices[ubi_num].\n\nubi_get_device is used to prevent devices from being deleted during\nsysfs execution. However, now kernfs ensures that devices will not\nbe deleted before all reference counting are released.\nThe key process is shown in the following stack.\n\ndevice_del\n device_remove_attrs\n device_remove_groups\n sysfs_remove_groups\n sysfs_remove_group\n remove_files\n kernfs_remove_by_name\n kernfs_remove_by_name_ns\n __kernfs_remove\n kernfs_drain"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:41:47.680Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac"
},
{
"url": "https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974"
},
{
"url": "https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8"
},
{
"url": "https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178"
},
{
"url": "https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888"
},
{
"url": "https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8"
},
{
"url": "https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b"
},
{
"url": "https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e"
}
],
"title": "ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-47634",
"datePublished": "2025-02-26T01:54:09.135Z",
"dateReserved": "2025-02-26T01:48:21.518Z",
"dateUpdated": "2025-05-04T12:41:47.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47634\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T18:17:56.634866Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T18:17:58.309Z\"}}], \"cna\": {\"title\": \"ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"f149b1bd213820363731aa119e5011ca892a2aac\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"a8ecee49259f8f78d91ddb329ab2be7e6fd01974\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"d727fd32cbd1abf3465f607021bc9c746f17b5a8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"432b057f8e847ae5a2306515606f8d2defaca178\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"1a3f1cf87054833242fcd0218de0481cf855f888\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"c32fe764191b8ae8b128588beb96e3718d9179d8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"3cbf0e392f173ba0ce425968c8374a6aa3e90f2e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"016820bde3f0895d09fcad370415085ba0d1bd4a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"12f567db822241090b90c5645ea9146f6cf8fa42\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"31b0fca8ab9b9786fe6e5027c4a8587b47db5abf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6117840dec60344167038f9511c3770d4c096eaa\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"bd7d3de27e7e1acce2e276074a498a82e0834663\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"cdf25333b42fb889f086ef65d0734d0dbdc49f4e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ae32d1b98ba29408df87c0ed47877ca0f248eae7\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4056337b1e81a1b137aa562133dc5430cd2fd19e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f3db4c640b32485105554e0bfd16bbde585f6fb0\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/mtd/ubi/build.c\", \"drivers/mtd/ubi/vmt.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.14.276\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.14.*\"}, {\"status\": \"unaffected\", \"version\": \"4.19.238\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.189\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.110\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.33\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16.19\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.16.*\"}, {\"status\": \"unaffected\", \"version\": \"5.17.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.17.*\"}, {\"status\": \"unaffected\", \"version\": \"5.18\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/mtd/ubi/build.c\", \"drivers/mtd/ubi/vmt.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac\"}, {\"url\": \"https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974\"}, {\"url\": \"https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8\"}, {\"url\": \"https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178\"}, {\"url\": \"https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888\"}, {\"url\": \"https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8\"}, {\"url\": \"https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b\"}, {\"url\": \"https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\\n\\nHulk Robot reported a KASAN report about use-after-free:\\n ==================================================================\\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\\n [...]\\n Call Trace:\\n klist_dec_and_del+0xa7/0x4a0\\n klist_put+0xc7/0x1a0\\n device_del+0x4d4/0xed0\\n cdev_device_del+0x1a/0x80\\n ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\\n ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\\n\\n Allocated by task 1414:\\n device_add+0x60a/0x18b0\\n cdev_device_add+0x103/0x170\\n ubi_create_volume+0x1118/0x1a10 [ubi]\\n ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\\n\\n Freed by task 1385:\\n cdev_device_del+0x1a/0x80\\n ubi_remove_volume+0x438/0x6c0 [ubi]\\n ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\\n [...]\\n ==================================================================\\n\\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\\nby ubi_cdev_ioctl is ubi-\u003edevice_mutex. Therefore, the two locks can be\\nconcurrent.\\n\\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\\nubi_detach is bug-free because it uses reference counting to prevent\\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\\nubi_cdev_ioctl.\\n\\nuif_init will race with ubi_cdev_ioctl as in the following stack.\\n cpu1 cpu2 cpu3\\n_______________________|________________________|______________________\\nctrl_cdev_ioctl\\n ubi_attach_mtd_dev\\n uif_init\\n ubi_cdev_ioctl\\n ubi_create_volume\\n cdev_device_add\\n ubi_add_volume\\n // sysfs exist\\n kill_volumes\\n ubi_cdev_ioctl\\n ubi_remove_volume\\n cdev_device_del\\n // first free\\n ubi_free_volume\\n cdev_del\\n // double free\\n cdev_device_del\\n\\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\\n cpu1 cpu2 cpu3\\n_______________________|________________________|______________________\\nctrl_cdev_ioctl\\n ubi_attach_mtd_dev\\n uif_init\\n ubi_cdev_ioctl\\n ubi_create_volume\\n cdev_device_add\\n ubi_debugfs_init_dev\\n //error goto out_uif;\\n uif_close\\n kill_volumes\\n ubi_cdev_ioctl\\n ubi_remove_volume\\n cdev_device_del\\n // first free\\n ubi_free_volume\\n // double free\\n\\nThe cause of this problem is that commit 714fb87e8bc0 make device\\n\\\"available\\\" before it becomes accessible via sysfs. Therefore, we\\nroll back the modification. We will fix the race condition between\\nubi device creation and udev by removing ubi_get_device in\\nvol_attribute_show and dev_attribute_show.This avoids accessing\\nuninitialized ubi_devices[ubi_num].\\n\\nubi_get_device is used to prevent devices from being deleted during\\nsysfs execution. However, now kernfs ensures that devices will not\\nbe deleted before all reference counting are released.\\nThe key process is shown in the following stack.\\n\\ndevice_del\\n device_remove_attrs\\n device_remove_groups\\n sysfs_remove_groups\\n sysfs_remove_group\\n remove_files\\n kernfs_remove_by_name\\n kernfs_remove_by_name_ns\\n __kernfs_remove\\n kernfs_drain\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.276\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.238\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.189\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.110\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.33\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.16.19\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.17.2\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.18\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.2.84\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.10.103\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.12.63\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.14.77\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.16.39\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.18.40\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.1.31\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.4.19\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.7.2\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:41:47.680Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2021-47634\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:41:47.680Z\", \"dateReserved\": \"2025-02-26T01:48:21.518Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-26T01:54:09.135Z\", \"assignerShortName\": \"Linux\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…