Vulnerability Details : CVE-2021-47085
In the Linux kernel, the following vulnerability has been resolved:
hamradio: improve the incomplete fix to avoid NPD
The previous commit 3e0588c291d6 ("hamradio: defer ax25 kfree after
unregister_netdev") reorder the kfree operations and unregister_netdev
operation to prevent UAF.
This commit improves the previous one by also deferring the nullify of
the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs.
Partial of the stack trace is shown below.
BUG: kernel NULL pointer dereference, address: 0000000000000538
RIP: 0010:ax_xmit+0x1f9/0x400
...
Call Trace:
dev_hard_start_xmit+0xec/0x320
sch_direct_xmit+0xea/0x240
__qdisc_run+0x166/0x5c0
__dev_queue_xmit+0x2c7/0xaf0
ax25_std_establish_data_link+0x59/0x60
ax25_connect+0x3a0/0x500
? security_socket_connect+0x2b/0x40
__sys_connect+0x96/0xc0
? __hrtimer_init+0xc0/0xc0
? common_nsleep+0x2e/0x50
? switch_fpu_return+0x139/0x1a0
__x64_sys_connect+0x11/0x20
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The crash point is shown as below
static void ax_encaps(...) {
...
set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL!
...
}
By placing the nullify action after the unregister_netdev, the ax->tty
pointer won't be assigned as NULL net_device framework layer is well
synchronized.
Vulnerability category: Memory Corruption
Products affected by CVE-2021-47085
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2021-47085
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 7 %
Percentile, the proportion of vulnerabilities that are scored at or less
References for CVE-2021-47085
-
https://git.kernel.org/stable/c/371a874ea06f147d6ca30be43dad33683965eba6
hamradio: improve the incomplete fix to avoid NPD - kernel/git/stable/linux.git - Linux kernel stable tree
-
https://git.kernel.org/stable/c/b2f37aead1b82a770c48b5d583f35ec22aabb61e
hamradio: improve the incomplete fix to avoid NPD - kernel/git/stable/linux.git - Linux kernel stable tree
-
https://git.kernel.org/stable/c/83ba6ec97c74fb1a60f7779a26b6a94b28741d8a
hamradio: improve the incomplete fix to avoid NPD - kernel/git/stable/linux.git - Linux kernel stable tree
-
https://git.kernel.org/stable/c/7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca
hamradio: improve the incomplete fix to avoid NPD - kernel/git/stable/linux.git - Linux kernel stable tree
-
https://git.kernel.org/stable/c/b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59
hamradio: improve the incomplete fix to avoid NPD - kernel/git/stable/linux.git - Linux kernel stable tree
-
https://git.kernel.org/stable/c/a7b0ae2cc486fcb601f9f9d87d98138cc7b7f7f9
hamradio: improve the incomplete fix to avoid NPD - kernel/git/stable/linux.git - Linux kernel stable tree
-
https://git.kernel.org/stable/c/a5c6a13e9056d87805ba3042c208fbd4164ad22b
hamradio: improve the incomplete fix to avoid NPD - kernel/git/stable/linux.git - Linux kernel stable tree
-
https://git.kernel.org/stable/c/03d00f7f1815ec00dab5035851b3de83afd054a8
hamradio: improve the incomplete fix to avoid NPD - kernel/git/stable/linux.git - Linux kernel stable tree
Jump to