Vulnerability Details : CVE-2021-47459
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
It will trigger UAF for rx_kref of j1939_priv as following.
cpu0 cpu1
j1939_sk_bind(socket0, ndev0, ...)
j1939_netdev_start
j1939_sk_bind(socket1, ndev0, ...)
j1939_netdev_start
j1939_priv_set
j1939_priv_get_by_ndev_locked
j1939_jsk_add
.....
j1939_netdev_stop
kref_put_lock(&priv->rx_kref, ...)
kref_get(&priv->rx_kref, ...)
REFCOUNT_WARN("addition on 0;...")
====================================================
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0
RIP: 0010:refcount_warn_saturate+0x169/0x1e0
Call Trace:
j1939_netdev_start+0x68b/0x920
j1939_sk_bind+0x426/0xeb0
? security_socket_bind+0x83/0xb0
The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to
protect.
Vulnerability category: Memory Corruption
Products affected by CVE-2021-47459
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.15:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.15:rc6:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-47459
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 16 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-47459
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | 2025-01-14 |
CWE ids for CVE-2021-47459
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-47459
-
https://git.kernel.org/stable/c/6e8811707e2df0c6ba920f0cad3a3bca7b42132f
can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv - kernel/git/stable/linux.git - Linux kernel stable treePatch
-
https://git.kernel.org/stable/c/864e77771a24c877aaf53aee019f78619cbcd668
can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv - kernel/git/stable/linux.git - Linux kernel stable treePatch
-
https://git.kernel.org/stable/c/d9d52a3ebd284882f5562c88e55991add5d01586
can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv - kernel/git/stable/linux.git - Linux kernel stable treePatch
-
https://git.kernel.org/stable/c/a0e47d2833b4f65e6c799f28c6b636d36b8b936d
can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv - kernel/git/stable/linux.git - Linux kernel stable treePatch
Jump to