Bug 1220951 (CVE-2021-47085)

Summary: VUL-0: REJECTED: CVE-2021-47085: kernel: hamradio: improve the incomplete fix to avoid NPD
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, jlee, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/396231/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-05 10:14:06 UTC 
In the Linux kernel, the following vulnerability has been resolved:

hamradio: improve the incomplete fix to avoid NPD

The previous commit 3e0588c291d6 ("hamradio: defer ax25 kfree after
unregister_netdev") reorder the kfree operations and unregister_netdev
operation to prevent UAF.

This commit improves the previous one by also deferring the nullify of
the ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs.
Partial of the stack trace is shown below.

BUG: kernel NULL pointer dereference, address: 0000000000000538
RIP: 0010:ax_xmit+0x1f9/0x400
...
Call Trace:
 dev_hard_start_xmit+0xec/0x320
 sch_direct_xmit+0xea/0x240
 __qdisc_run+0x166/0x5c0
 __dev_queue_xmit+0x2c7/0xaf0
 ax25_std_establish_data_link+0x59/0x60
 ax25_connect+0x3a0/0x500
 ? security_socket_connect+0x2b/0x40
 __sys_connect+0x96/0xc0
 ? __hrtimer_init+0xc0/0xc0
 ? common_nsleep+0x2e/0x50
 ? switch_fpu_return+0x139/0x1a0
 __x64_sys_connect+0x11/0x20
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The crash point is shown as below

static void ax_encaps(...) {
  ...
  set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL!
  ...
}

By placing the nullify action after the unregister_netdev, the ax->tty
pointer won't be assigned as NULL net_device framework layer is well
synchronized.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47085
https://www.cve.org/CVERecord?id=CVE-2021-47085
https://lore.kernel.org/linux-cve-announce/2024030455-CVE-2021-47085-3c44@gregkh/

Patch:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b2f37aead1b8
Comment 1 Andrea Mattiazzo 2024-03-05 10:17:33 UTC 
Already fixed:
-cve/linux-5.14
-stable
-SLE15-SP6

@kernel-team please add the CVE reference.

cve/linux-4.4, cve/linux-4.12, cve/linux-5.3 not affected because CONFIG_MKISS is not set.
Comment 3 Joey Lee 2024-03-22 09:07:24 UTC 
(In reply to Robert Frohl from comment #2)
> REJECTED:
> 
> https://lore.kernel.org/linux-cve-announce/2024031945-REJECTED-6d41@gregkh/T/
> #u

Because CVE-2021-47085 be rejected by upstream. Reset assigner.
Comment 4 Andrea Mattiazzo 2024-05-31 13:11:31 UTC 
All done, closing.