Bug 1198437 (CVE-2021-0707)

Summary: VUL-1: CVE-2021-0707: kernel-source: possible memory corruption due to a use after free in dma_buf_release of dma-buf.c
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/328864/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-0707:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1199332    

Description Gabriele Sonnu 2022-04-13 08:20:43 UTC
In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a
use after free. This could lead to local escalation of privilege with no
additional execution privileges needed. User interaction is not needed for
exploitation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0707
https://source.android.com/security/bulletin/2022-04-01
Comment 1 Gabriele Sonnu 2022-04-13 08:26:29 UTC
It seems the vulnerability was introduced by 4ab59c3c638c6c8952bf07739805d20eb6358a4d ([0]), included in the following branches, which also contain the fix (05cd84691eafcd7959a1e120d5e72c0dd98c5d91 [1]):

- SLE15-SP3
- SLE15-SP4
- SLE15-SP4-GA
- stable

Therefore I'd say none of our products is affected, but please confirm.

[0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4ab59c3c638c6c8952bf07739805d20eb6358a4d
[0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=05cd84691eafcd7959a1e120d5e72c0dd98c5d91
Comment 2 Takashi Iwai 2022-04-13 09:01:34 UTC
Yes, SLE15-SP3 already got the fix via git-fixes, and SP4 and stable are based on the newer kernels that already include the fix.

I'm going to update the patch reference on SLE15-SP3 branch.

Reassigned back to security team.
Comment 3 Gabriele Sonnu 2022-04-13 09:14:28 UTC
Thanks, closing.
Comment 11 Swamp Workflow Management 2022-05-16 13:24:16 UTC
SUSE-SU-2022:1669-1: An update that solves 16 vulnerabilities, contains 6 features and has 29 fixes is now available.

Category: security (important)
Bug References: 1028340,1071995,1137728,1152472,1152489,1177028,1179878,1182073,1183723,1187055,1191647,1193556,1193842,1194625,1195651,1195926,1196018,1196114,1196367,1196514,1196639,1196942,1197157,1197391,1197656,1197660,1197677,1197914,1197926,1198077,1198217,1198330,1198400,1198413,1198437,1198448,1198484,1198515,1198516,1198534,1198742,1198825,1198989,1199012,1199024
CVE References: CVE-2020-27835,CVE-2021-0707,CVE-2021-20292,CVE-2021-20321,CVE-2021-38208,CVE-2021-4154,CVE-2022-0812,CVE-2022-1158,CVE-2022-1280,CVE-2022-1353,CVE-2022-1419,CVE-2022-1516,CVE-2022-28356,CVE-2022-28748,CVE-2022-28893,CVE-2022-29156
JIRA References: SLE-13208,SLE-13513,SLE-15172,SLE-15175,SLE-18234,SLE-8449
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP3 (src):    release-notes-sle_rt-15.3.20220422-150300.3.3.2
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.88.2, kernel-rt_debug-5.3.18-150300.88.2, kernel-source-rt-5.3.18-150300.88.2, kernel-syms-rt-5.3.18-150300.88.1, release-notes-sle_rt-15.3.20220422-150300.3.3.2
SUSE Linux Enterprise Micro 5.2 (src):    kernel-rt-5.3.18-150300.88.2
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.88.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-05-16 13:37:59 UTC
SUSE-SU-2022:1676-1: An update that solves 16 vulnerabilities, contains 6 features and has 25 fixes is now available.

Category: security (important)
Bug References: 1028340,1065729,1071995,1121726,1137728,1152489,1177028,1179878,1182073,1183723,1187055,1191647,1193556,1193842,1195926,1196018,1196114,1196367,1196514,1196639,1196942,1197157,1197391,1197656,1197660,1197914,1197926,1198217,1198330,1198400,1198413,1198437,1198448,1198484,1198515,1198516,1198660,1198742,1198825,1199012,1199024
CVE References: CVE-2020-27835,CVE-2021-0707,CVE-2021-20292,CVE-2021-20321,CVE-2021-38208,CVE-2021-4154,CVE-2022-0812,CVE-2022-1158,CVE-2022-1280,CVE-2022-1353,CVE-2022-1419,CVE-2022-1516,CVE-2022-28356,CVE-2022-28748,CVE-2022-28893,CVE-2022-29156
JIRA References: SLE-13208,SLE-13513,SLE-15172,SLE-15175,SLE-15176,SLE-8449
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.56.1, kernel-source-azure-5.3.18-150300.38.56.1, kernel-syms-azure-5.3.18-150300.38.56.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.56.1, kernel-source-azure-5.3.18-150300.38.56.1, kernel-syms-azure-5.3.18-150300.38.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-05-16 16:24:34 UTC
SUSE-SU-2022:1687-1: An update that solves 16 vulnerabilities, contains 6 features and has 29 fixes is now available.

Category: security (important)
Bug References: 1028340,1071995,1137728,1152472,1152489,1177028,1179878,1182073,1183723,1187055,1191647,1193556,1193842,1194625,1195651,1195926,1196018,1196114,1196367,1196514,1196639,1196942,1197157,1197391,1197656,1197660,1197677,1197914,1197926,1198077,1198217,1198330,1198400,1198413,1198437,1198448,1198484,1198515,1198516,1198534,1198742,1198825,1198989,1199012,1199024
CVE References: CVE-2020-27835,CVE-2021-0707,CVE-2021-20292,CVE-2021-20321,CVE-2021-38208,CVE-2021-4154,CVE-2022-0812,CVE-2022-1158,CVE-2022-1280,CVE-2022-1353,CVE-2022-1419,CVE-2022-1516,CVE-2022-28356,CVE-2022-28748,CVE-2022-28893,CVE-2022-29156
JIRA References: SLE-13208,SLE-13513,SLE-15172,SLE-15175,SLE-18234,SLE-8449
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.68.1, kernel-preempt-5.3.18-150300.59.68.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.68.1, kernel-64kb-5.3.18-150300.59.68.1, kernel-debug-5.3.18-150300.59.68.1, kernel-default-5.3.18-150300.59.68.1, kernel-default-base-5.3.18-150300.59.68.1.150300.18.41.3, kernel-docs-5.3.18-150300.59.68.1, kernel-kvmsmall-5.3.18-150300.59.68.1, kernel-obs-build-5.3.18-150300.59.68.1, kernel-obs-qa-5.3.18-150300.59.68.1, kernel-preempt-5.3.18-150300.59.68.1, kernel-source-5.3.18-150300.59.68.1, kernel-syms-5.3.18-150300.59.68.1, kernel-zfcpdump-5.3.18-150300.59.68.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.68.1, kernel-preempt-5.3.18-150300.59.68.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.68.1, kernel-livepatch-SLE15-SP3_Update_18-1-150300.7.5.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.68.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.68.1, kernel-obs-build-5.3.18-150300.59.68.1, kernel-preempt-5.3.18-150300.59.68.1, kernel-source-5.3.18-150300.59.68.1, kernel-syms-5.3.18-150300.59.68.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.68.1, kernel-default-5.3.18-150300.59.68.1, kernel-default-base-5.3.18-150300.59.68.1.150300.18.41.3, kernel-preempt-5.3.18-150300.59.68.1, kernel-source-5.3.18-150300.59.68.1, kernel-zfcpdump-5.3.18-150300.59.68.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.68.1, kernel-default-base-5.3.18-150300.59.68.1.150300.18.41.3
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.68.1, kernel-default-base-5.3.18-150300.59.68.1.150300.18.41.3
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Marcus Meissner 2022-06-13 11:18:33 UTC
Please note that this CVE was fixed in SLES 15 SP3 GA already due to importing of regular bugfixes.

This CVE was assigned 1.5 years later in April 2022, and referenced due to only the CVE meta reference addition in a recent update.

The issue was already fixed in GA.

No livepatch will be provided, as it is not necessary.