CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47507 – nfsd: Fix nsfd startup race (again)
https://notcve.org/view.php?id=CVE-2021-47507
In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix nsfd startup race (again) Commit bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") has re-opened rpc_pipefs_event() race against nfsd_net_id registration (register_pernet_subsys()) which has been fixed by commit bb7ffbf29e76 ("nfsd: fix nsfd startup race triggering BUG_ON"). Restore the order of register_pernet_subsys() vs register_cld_notifier(). Add WARN_ON() to prevent a future regression. Crash info: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000012 CPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1 pc : rpc_pipefs_event+0x54/0x120 [nfsd] lr : rpc_pipefs_event+0x48/0x120 [nfsd] Call trace: rpc_pipefs_event+0x54/0x120 [nfsd] blocking_notifier_call_chain rpc_fill_super get_tree_keyed rpc_fs_get_tree vfs_get_tree do_mount ksys_mount __arm64_sys_mount el0_svc_handler el0_svc En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: corrige la ejecución de inicio de nsfd (nuevamente) El commit bd5ae9288d64 ("nfsd: registre las operaciones de pernet al final, anule el registro primero") ha reabierto la ejecución de rpc_pipefs_event() contra el registro de nfsd_net_id (register_pernet_subsys( )) que se ha solucionado mediante el commit bb7ffbf29e76 ("nfsd: arreglar la ejecución de inicio de nsfd que activa BUG_ON"). Restaure el orden de Register_pernet_subsys() frente a Register_cld_notifier(). Agregue WARN_ON() para evitar una regresión futura. Información de falla: no se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000012 CPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1 pc: rpc_pipefs_event+0x54/0x120 [nfsd] lr: rpc_pipefs_event+0x48/ 0x120 [nfsd] Rastreo de llamadas: rpc_pipefs_event+0x54/0x120 [nfsd] blocking_notifier_call_chain rpc_fill_super get_tree_keyed rpc_fs_get_tree vfs_get_tree do_mount ksys_mount __arm64_sys_mount el0_svc_handler el0_svc • https://git.kernel.org/stable/c/8677e99150b0830d29cc1318b4cc559e176940bb https://git.kernel.org/stable/c/7c7cb07d4affcf41749234fe9dc4d90cd3959e32 https://git.kernel.org/stable/c/bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 https://git.kernel.org/stable/c/4d41f65efeec0a6da6088341203c81e49ebfcd90 https://git.kernel.org/stable/c/f5734b1714ca355703e9ea8fb61d04beff1790b9 https://git.kernel.org/stable/c/c520943a00ad5015704969ad3304c956bcd49d25 https://git.kernel.org/stable/c/8bf902fee5893cfc2f04a698abab47629699ae9a https://git.kernel.org/stable/c/b10252c7ae9c9d7c90552f88b544a44ee •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47506 – nfsd: fix use-after-free due to delegation race
https://notcve.org/view.php?id=CVE-2021-47506
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix use-after-free due to delegation race A delegation break could arrive as soon as we've called vfs_setlease. A delegation break runs a callback which immediately (in nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we then exit nfs4_set_delegation without hashing the delegation, it will be freed as soon as the callback is done with it, without ever being removed from del_recall_lru. Symptoms show up later as use-after-free or list corruption warnings, usually in the laundromat thread. I suspect aba2072f4523 "nfsd: grant read delegations to clients holding writes" made this bug easier to hit, but I looked as far back as v3.0 and it looks to me it already had the same problem. So I'm not sure where the bug was introduced; it may have been there from the beginning. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: corrige el use-after-free debido a la ejecución de delegación. • https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4 https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4 https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09 https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373 https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3 https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f71 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47505 – aio: fix use-after-free due to missing POLLFREE handling
https://notcve.org/view.php?id=CVE-2021-47505
In the Linux kernel, the following vulnerability has been resolved: aio: fix use-after-free due to missing POLLFREE handling signalfd_poll() and binder_poll() are special in that they use a waitqueue whose lifetime is the current task, rather than the struct file as is normally the case. This is okay for blocking polls, since a blocking poll occurs within one task; however, non-blocking polls require another solution. This solution is for the queue to be cleared before it is freed, by sending a POLLFREE notification to all waiters. Unfortunately, only eventpoll handles POLLFREE. A second type of non-blocking poll, aio poll, was added in kernel v4.18, and it doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with aio poll, and the waitqueue gets freed. Fix this by making aio poll handle POLLFREE. A patch by Ramji Jiyani <ramjiyani@google.com> (https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com) tried to do this by making aio_poll_wake() always complete the request inline if POLLFREE is seen. • https://git.kernel.org/stable/c/2c14fa838cbefc23cf1c73ca167ed85b274b2913 https://git.kernel.org/stable/c/321fba81ec034f88aea4898993c1bf15605c023f https://git.kernel.org/stable/c/4105e6a128e8a98455dfc9e6dbb2ab0c33c4497f https://git.kernel.org/stable/c/47ffefd88abfffe8a040bcc1dd0554d4ea6f7689 https://git.kernel.org/stable/c/60d311f9e6381d779d7d53371f87285698ecee24 https://git.kernel.org/stable/c/50252e4b5e989ce64555c7aef7516bdefc2fea72 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47504 – io_uring: ensure task_work gets run as part of cancelations
https://notcve.org/view.php?id=CVE-2021-47504
In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure task_work gets run as part of cancelations If we successfully cancel a work item but that work item needs to be processed through task_work, then we can be sleeping uninterruptibly in io_uring_cancel_generic() and never process it. Hence we don't make forward progress and we end up with an uninterruptible sleep warning. While in there, correct a comment that should be IFF, not IIF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: garantiza que task_work se ejecute como parte de las cancelaciones. Si cancelamos con éxito un elemento de trabajo pero ese elemento de trabajo debe procesarse a través de task_work, entonces podemos estar durmiendo ininterrumpidamente en io_uring_cancel_generic() y nunca procesarlo. Por lo tanto, no avanzamos y terminamos con un aviso de sueño ininterrumpido. • https://git.kernel.org/stable/c/8e12976c0c19ebc14b60046b1348c516a74c25a2 https://git.kernel.org/stable/c/78a780602075d8b00c98070fa26e389b3b3efa72 •
CVSS: 6.2EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47503 – scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()
https://notcve.org/view.php?id=CVE-2021-47503
In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc() Calling scsi_remove_host() before scsi_add_host() results in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000108 RIP: 0010:device_del+0x63/0x440 Call Trace: device_unregister+0x17/0x60 scsi_remove_host+0xee/0x2a0 pm8001_pci_probe+0x6ef/0x1b90 [pm80xx] local_pci_probe+0x3f/0x90 We cannot call scsi_remove_host() in pm8001_alloc() because scsi_add_host() has not been called yet at that point in time. Function call tree: pm8001_pci_probe() | `- pm8001_pci_alloc() | | | `- pm8001_alloc() | | | `- scsi_remove_host() | `- scsi_add_host() En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: pm80xx: No llamar a scsi_remove_host() en pm8001_alloc() Llamar a scsi_remove_host() antes de scsi_add_host() produce un bloqueo: ERROR: desreferencia del puntero NULL del kernel, dirección: 00000000000000108 RIP : 0010:device_del+0x63/0x440 Seguimiento de llamadas: device_unregister+0x17/0x60 scsi_remove_host+0xee/0x2a0 pm8001_pci_probe+0x6ef/0x1b90 [pm80xx] local_pci_probe+0x3f/0x90 No podemos llamar a scsi_remove_host() en pm8001_ alloc() porque scsi_add_host() no lo ha hecho sido llamado todavía en ese momento. Árbol de llamadas a funciones: pm8001_pci_probe() | `- pm8001_pci_alloc() | | | `- pm8001_alloc() | | | `- scsi_remove_host() | `- scsi_add_host() • https://git.kernel.org/stable/c/05c6c029a44d9f43715577e33e95eba87f44d285 https://git.kernel.org/stable/c/1e434d2687e8bc0b3cdc9dd093c0e9047c0b4add https://git.kernel.org/stable/c/f8dccc1bdea7e21b5ec06c957aef8831c772661c https://git.kernel.org/stable/c/653926205741add87a6cf452e21950eebc6ac10b • CWE-476: NULL Pointer Dereference •