Bug 1221536 (CVE-2021-47111)

Summary: VUL-0: CVE-2021-47111: kernel: xen-netback: use after free of RX task
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, osalvador
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/397845/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-47111:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-18 07:23:01 UTC 
In the Linux kernel, the following vulnerability has been resolved:

xen-netback: take a reference to the RX task thread

Do this in order to prevent the task from being freed if the thread
returns (which can be triggered by the frontend) before the call to
kthread_stop done as part of the backend tear down. Not taking the
reference will lead to a use-after-free in that scenario. Such
reference was taken before but dropped as part of the rework done in
2ac061ce97f4.

Reintroduce the reference taking and add a comment this time
explaining why it's needed.

This is XSA-374 / CVE-2021-28691.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47111
https://git.kernel.org/stable/c/107866a8eb0b664675a260f1ba0655010fac1e08
https://git.kernel.org/stable/c/6b53db8c4c14b4e7256f058d202908b54a7b85b4
https://git.kernel.org/stable/c/caec9bcaeb1a5f03f2d406305355c853af10c13e
https://www.cve.org/CVERecord?id=CVE-2021-47111
https://bugzilla.redhat.com/show_bug.cgi?id=2269871
Comment 1 Carlos López 2024-03-18 07:23:47 UTC 
cve/linux-5.3 and older are not affected. Already fixed in cve/linux-5.14 and newer.
Comment 3 Gabriele Sonnu 2024-06-10 12:22:19 UTC 
All done, closing.