Bug 1220627 (CVE-2021-47012) - VUL-0: CVE-2021-47012: kernel: RDMA/siw: a use after free in siw_alloc_mr()
Summary: VUL-0: CVE-2021-47012: kernel: RDMA/siw: a use after free in siw_alloc_mr()
Status: NEW
Alias: CVE-2021-47012
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/395461/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-47012:6.7:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-29 09:16 UTC by SMASH SMASH
Modified: 2024-03-22 12:32 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-29 09:16:00 UTC 
In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix a use after free in siw_alloc_mr

Our code analyzer reported a UAF.

In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of
siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via
kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a
freed object. After, the execution continue up to the err_out branch of
siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).

My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {}
section, to avoid the uaf.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47012
https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4
https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4
https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c
https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155
https://www.cve.org/CVERecord?id=CVE-2021-47012
https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63
https://bugzilla.redhat.com/show_bug.cgi?id=2266844
Comment 1 Carlos López 2024-02-29 09:20:57 UTC 
cve/linux-5.3 is affected (except SLE15-SP3). cve/linux-5.14 and newer are already fixed.
Comment 2 Thomas Bogendoerfer 2024-03-05 15:45:56 UTC 
Backported fixing commit to cve/linux-5.3
Comment 9 Maintenance Automation 2024-03-13 08:30:26 UTC 
SUSE-SU-2024:0857-1: An update that solves 67 vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1200599, 1207653, 1212514, 1213456, 1216223, 1218195, 1218689, 1218915, 1219127, 1219128, 1219146, 1219295, 1219653, 1219827, 1219835, 1219915, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220253, 1220255, 1220328, 1220330, 1220344, 1220398, 1220409, 1220416, 1220418, 1220421, 1220436, 1220444, 1220459, 1220469, 1220482, 1220526, 1220538, 1220570, 1220572, 1220599, 1220627, 1220641, 1220649, 1220660, 1220689, 1220700, 1220735, 1220736, 1220737, 1220742, 1220745, 1220767, 1220796, 1220825, 1220826, 1220831, 1220845, 1220860, 1220863, 1220870, 1220917, 1220918, 1220930, 1220931, 1220932, 1221039, 1221040
CVE References: CVE-2019-25162, CVE-2020-36777, CVE-2020-36784, CVE-2021-46904, CVE-2021-46905, CVE-2021-46906, CVE-2021-46915, CVE-2021-46924, CVE-2021-46929, CVE-2021-46932, CVE-2021-46934, CVE-2021-46953, CVE-2021-46964, CVE-2021-46966, CVE-2021-46968, CVE-2021-46974, CVE-2021-46989, CVE-2021-47005, CVE-2021-47012, CVE-2021-47013, CVE-2021-47054, CVE-2021-47060, CVE-2021-47061, CVE-2021-47069, CVE-2021-47076, CVE-2021-47078, CVE-2021-47083, CVE-2022-20154, CVE-2022-48627, CVE-2023-28746, CVE-2023-35827, CVE-2023-46343, CVE-2023-51042, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52463, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52502, CVE-2023-52530, CVE-2023-52531, CVE-2023-52532, CVE-2023-52569, CVE-2023-52574, CVE-2023-52597, CVE-2023-52605, CVE-2023-6817, CVE-2024-0340, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26593, CVE-2024-26595, CVE-2024-26602, CVE-2024-26607, CVE-2024-26622
Sources used:
openSUSE Leap 15.3 (src): kernel-obs-qa-5.3.18-150300.59.153.1, kernel-livepatch-SLE15-SP3_Update_42-1-150300.7.3.2, kernel-syms-5.3.18-150300.59.153.1, kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_42-1-150300.7.3.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-syms-5.3.18-150300.59.153.1, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-syms-5.3.18-150300.59.153.1, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-syms-5.3.18-150300.59.153.1, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Enterprise Storage 7.1 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-syms-5.3.18-150300.59.153.1, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2
SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-03-13 08:30:42 UTC 
SUSE-SU-2024:0856-1: An update that solves 67 vulnerabilities and has seven security fixes can now be installed.

Category: security (important)
Bug References: 1155518, 1184436, 1185988, 1186286, 1200599, 1207653, 1212514, 1213456, 1216223, 1218195, 1218689, 1218915, 1219127, 1219128, 1219146, 1219295, 1219653, 1219827, 1219835, 1219915, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220253, 1220255, 1220328, 1220330, 1220344, 1220398, 1220409, 1220416, 1220418, 1220421, 1220436, 1220444, 1220459, 1220469, 1220482, 1220526, 1220538, 1220570, 1220572, 1220599, 1220627, 1220641, 1220649, 1220660, 1220700, 1220735, 1220736, 1220737, 1220742, 1220745, 1220767, 1220796, 1220825, 1220826, 1220831, 1220845, 1220860, 1220863, 1220870, 1220917, 1220918, 1220930, 1220931, 1220932, 1221039, 1221040
CVE References: CVE-2019-25162, CVE-2020-36777, CVE-2020-36784, CVE-2021-46904, CVE-2021-46905, CVE-2021-46906, CVE-2021-46915, CVE-2021-46924, CVE-2021-46929, CVE-2021-46932, CVE-2021-46934, CVE-2021-46953, CVE-2021-46964, CVE-2021-46966, CVE-2021-46968, CVE-2021-46974, CVE-2021-46989, CVE-2021-47005, CVE-2021-47012, CVE-2021-47013, CVE-2021-47054, CVE-2021-47060, CVE-2021-47061, CVE-2021-47069, CVE-2021-47076, CVE-2021-47078, CVE-2021-47083, CVE-2022-20154, CVE-2022-48627, CVE-2023-28746, CVE-2023-35827, CVE-2023-46343, CVE-2023-51042, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52463, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52502, CVE-2023-52530, CVE-2023-52531, CVE-2023-52532, CVE-2023-52569, CVE-2023-52574, CVE-2023-52597, CVE-2023-52605, CVE-2023-6817, CVE-2024-0340, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26593, CVE-2024-26595, CVE-2024-26602, CVE-2024-26607, CVE-2024-26622
Sources used:
SUSE Linux Enterprise Micro 5.1 (src): kernel-source-rt-5.3.18-150300.161.1
SUSE Linux Enterprise Micro 5.2 (src): kernel-source-rt-5.3.18-150300.161.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-source-rt-5.3.18-150300.161.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-03-22 12:32:09 UTC 
SUSE-SU-2024:0926-1: An update that solves 65 vulnerabilities and has six security fixes can now be installed.

Category: security (important)
Bug References: 1155518, 1184436, 1185988, 1186286, 1200599, 1212514, 1213456, 1218689, 1218915, 1219127, 1219128, 1219146, 1219295, 1219653, 1219827, 1219835, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220253, 1220255, 1220328, 1220330, 1220344, 1220398, 1220409, 1220416, 1220418, 1220421, 1220436, 1220444, 1220459, 1220469, 1220482, 1220526, 1220538, 1220570, 1220572, 1220599, 1220627, 1220641, 1220649, 1220660, 1220700, 1220735, 1220736, 1220737, 1220742, 1220745, 1220767, 1220796, 1220825, 1220826, 1220831, 1220845, 1220860, 1220863, 1220870, 1220917, 1220918, 1220930, 1220931, 1220932, 1221039, 1221040, 1221287
CVE References: CVE-2019-25162, CVE-2020-36777, CVE-2020-36784, CVE-2021-46904, CVE-2021-46905, CVE-2021-46906, CVE-2021-46915, CVE-2021-46924, CVE-2021-46929, CVE-2021-46932, CVE-2021-46934, CVE-2021-46953, CVE-2021-46964, CVE-2021-46966, CVE-2021-46974, CVE-2021-46989, CVE-2021-47005, CVE-2021-47012, CVE-2021-47013, CVE-2021-47054, CVE-2021-47060, CVE-2021-47061, CVE-2021-47069, CVE-2021-47076, CVE-2021-47078, CVE-2021-47083, CVE-2022-20154, CVE-2022-48627, CVE-2023-28746, CVE-2023-35827, CVE-2023-46343, CVE-2023-51042, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52463, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52502, CVE-2023-52530, CVE-2023-52531, CVE-2023-52532, CVE-2023-52569, CVE-2023-52574, CVE-2023-52597, CVE-2023-52605, CVE-2024-0340, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26593, CVE-2024-26595, CVE-2024-26602, CVE-2024-26607, CVE-2024-26622
Maintenance Incident: [SUSE:Maintenance:32904](https://smelt.suse.de/incident/32904/)
Sources used:
SUSE Linux Enterprise Live Patching 15-SP2 (src):
 kernel-livepatch-SLE15-SP2_Update_46-1-150200.5.3.2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 kernel-obs-build-5.3.18-150200.24.183.1, kernel-syms-5.3.18-150200.24.183.1, kernel-source-5.3.18-150200.24.183.1, kernel-default-base-5.3.18-150200.24.183.1.150200.9.93.2
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 kernel-obs-build-5.3.18-150200.24.183.1, kernel-syms-5.3.18-150200.24.183.1, kernel-source-5.3.18-150200.24.183.1, kernel-default-base-5.3.18-150200.24.183.1.150200.9.93.2
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 kernel-obs-build-5.3.18-150200.24.183.1, kernel-syms-5.3.18-150200.24.183.1, kernel-source-5.3.18-150200.24.183.1, kernel-default-base-5.3.18-150200.24.183.1.150200.9.93.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.