Bugzilla – Bug 1220922
VUL-0: REJECTED: CVE-2021-47084: kernel: hamradio: defer ax25 kfree after unregister_netdev
Last modified: 2024-05-31 13:19:43 UTC
In the Linux kernel, the following vulnerability has been resolved: hamradio: defer ax25 kfree after unregister_netdev There is a possible race condition (use-after-free) like below (USE) | (FREE) ax25_sendmsg | ax25_queue_xmit | dev_queue_xmit | __dev_queue_xmit | __dev_xmit_skb | sch_direct_xmit | ... xmit_one | netdev_start_xmit | tty_ldisc_kill __netdev_start_xmit | mkiss_close ax_xmit | kfree ax_encaps | | Even though there are two synchronization primitives before the kfree: 1. wait_for_completion(&ax->dead). This can prevent the race with routines from mkiss_ioctl. However, it cannot stop the routine coming from upper layer, i.e., the ax25_sendmsg. 2. netif_stop_queue(ax->dev). It seems that this line of code aims to halt the transmit queue but it fails to stop the routine that already being xmit. This patch reorder the kfree after the unregister_netdev to avoid the possible UAF as the unregister_netdev() is well synchronized and won't return if there is a running routine. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47084 https://www.cve.org/CVERecord?id=CVE-2021-47084 https://lore.kernel.org/linux-cve-announce/2024030455-CVE-2021-47084-4984@gregkh/ Patch: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3e0588c291d6
Already fixed: -cve/linux-5.14 -stable -SLE15-SP6 @kernel-team please add the CVE reference. cve/linux-4.4, cve/linux-4.12, cve/linux-5.3 not affected because CONFIG_MKISS is not set.
REJECTED: https://lore.kernel.org/linux-cve-announce/2024031926-REJECTED-3644@gregkh/T/#u
Rejected, back to sec-team.
Closing as invalid since it's rejected