CVE-2021-46933

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-46933
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 and then unmounts f_fs. If userland provided an eventfd along with function's USB descriptors, it ends up calling eventfd_ctx_put as many times, causing a refcount underflow. NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. Also, set epfiles to NULL right after de-allocating it, for readability. For completeness, ffs_data_clear actually ends up being called thrice, the last call being before the whole ffs structure gets freed, so when this specific sequence happens there is a second underflow happening (but not being reported): /sys/kernel/debug/tracing# modprobe usb_f_fs /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter /sys/kernel/debug/tracing# echo function > current_tracer /sys/kernel/debug/tracing# echo 1 > tracing_on (setup gadget, run and kill function userland process, teardown gadget) /sys/kernel/debug/tracing# echo 0 > tracing_on /sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put Warning output corresponding to above trace: [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c [ 1946.293094] refcount_t: underflow; use-after-free. [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 [ 1946.417950] Hardware name: BCM2835 [ 1946.425442] Backtrace: [ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24) [ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c [ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30) [ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154) [ 1946.482067] r5:c04a948c r4:c0a71dc8 [ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4) [ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 [ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c) [ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 [ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74) [ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) [ 1946.582664] r5:c3b84c00 r4:c2695b00 [ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) [ 1946.609608] r5:bf54d014 r4:c2695b00 [ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) [ 1946.636217] r7:c0dfcb ---truncated---

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 Patch
https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee Patch
https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b Patch
https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 Patch
https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 Patch
https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 Patch
https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 Patch
https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa Patch
https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 Patch
https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee Patch
https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b Patch
https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 Patch
https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 Patch
https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 Patch
https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 Patch
https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
History

21 Nov 2024, 06:34

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 - Patch () https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 - Patch
References () https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee - Patch () https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee - Patch
References () https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b - Patch () https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b - Patch
References () https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 - Patch () https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 - Patch
References () https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 - Patch () https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 - Patch
References () https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 - Patch () https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 - Patch
References () https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 - Patch () https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 - Patch
References () https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa - Patch () https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa - Patch

10 Apr 2024, 18:36

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
First Time Linux
Linux linux Kernel
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
CWE CWE-416
References () https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 - () https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 - Patch
References () https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee - () https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee - Patch
References () https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b - () https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b - Patch
References () https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 - () https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 - Patch
References () https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 - () https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 - Patch
References () https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 - () https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 - Patch
References () https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 - () https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 - Patch
References () https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa - () https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa - Patch

27 Feb 2024, 14:20

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-27 10:15

Updated : 2024-11-21 06:34

NVD link : CVE-2021-46933

Mitre link : CVE-2021-46933

CVE.ORG link : CVE-2021-46933

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024