fkie_cve-2021-47506
Vulnerability from fkie_nvd
Published
2024-05-24 15:15
Modified
2025-01-06 20:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix use-after-free due to delegation race
A delegation break could arrive as soon as we've called vfs_setlease. A
delegation break runs a callback which immediately (in
nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we
then exit nfs4_set_delegation without hashing the delegation, it will be
freed as soon as the callback is done with it, without ever being
removed from del_recall_lru.
Symptoms show up later as use-after-free or list corruption warnings,
usually in the laundromat thread.
I suspect aba2072f4523 "nfsd: grant read delegations to clients holding
writes" made this bug easier to hit, but I looked as far back as v3.0
and it looks to me it already had the same problem. So I'm not sure
where the bug was introduced; it may have been there from the beginning.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | 5.15 | |
| linux | linux_kernel | 5.15 | |
| linux | linux_kernel | 5.15 | |
| linux | linux_kernel | 5.15 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "1FF3BCF2-4788-45E7-BDAC-845DEBF8922F", versionEndExcluding: "4.4.296", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "BEC14782-2EE3-4635-A927-91559E4F451C", versionEndExcluding: "4.9.294", versionStartIncluding: "4.5", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "390D64FF-1DB7-4DD1-ADEF-CE96BEA2607C", versionEndExcluding: "4.14.259", versionStartIncluding: "4.10", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "2D0D89BC-6CF8-4BFB-8C91-472348052528", versionEndExcluding: "4.19.222", versionStartIncluding: "4.15", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "195EBAA1-4CCE-4898-9351-F4A0DBCAA022", versionEndExcluding: "5.4.168", versionStartIncluding: "4.20", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "D9668578-08F7-4694-A86F-FCE448387A79", versionEndExcluding: "5.10.85", versionStartIncluding: "5.5", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "6664ACE2-F748-4AE5-B98B-58803B0B2C3E", versionEndExcluding: "5.15.8", versionStartIncluding: "5.11", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*", matchCriteriaId: "E46C74C6-B76B-4C94-A6A4-FD2FFF62D644", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*", matchCriteriaId: "60134C3A-06E4-48C1-B04F-2903732A4E56", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*", matchCriteriaId: "0460DA88-8FE1-46A2-9DDA-1F1ABA552E71", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:*", matchCriteriaId: "AF55383D-4DF2-45DC-93F7-571F4F978EAB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix use-after-free due to delegation race\n\nA delegation break could arrive as soon as we've called vfs_setlease. A\ndelegation break runs a callback which immediately (in\nnfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we\nthen exit nfs4_set_delegation without hashing the delegation, it will be\nfreed as soon as the callback is done with it, without ever being\nremoved from del_recall_lru.\n\nSymptoms show up later as use-after-free or list corruption warnings,\nusually in the laundromat thread.\n\nI suspect aba2072f4523 \"nfsd: grant read delegations to clients holding\nwrites\" made this bug easier to hit, but I looked as far back as v3.0\nand it looks to me it already had the same problem. So I'm not sure\nwhere the bug was introduced; it may have been there from the beginning.", }, { lang: "es", value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: corrige el use-after-free debido a la ejecución de delegación. Una interrupción de la delegación podría llegar tan pronto como hayamos llamado a vfs_setlease. Una interrupción de la delegación ejecuta una devolución de llamada que inmediatamente (en nfsd4_cb_recall_prepare) agrega la delegación a del_recall_lru. Si luego salimos de nfs4_set_delegation sin aplicar hash a la delegación, se liberará tan pronto como finalice la devolución de llamada, sin eliminarse nunca de del_recall_lru. Los síntomas aparecen más tarde como advertencias de use-after-free o de corrupción en la lista, generalmente en el hilo de la lavandería. Sospecho que aba2072f4523 \"nfsd: otorgar delegaciones de lectura a clientes que tienen escrituras\" hizo que este error fuera más fácil de corregir, pero miré hasta la versión 3.0 y me parece que ya tenía el mismo problema. Entonces no estoy seguro de dónde se introdujo el error; puede que haya estado ahí desde el principio.", }, ], id: "CVE-2021-47506", lastModified: "2025-01-06T20:44:45.983", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-05-24T15:15:11.197", references: [ { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f717833ab5", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f717833ab5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373", }, ], sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-416", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.