// For flags

CVE-2021-46988

userfaultfd: release page in error path to avoid BUG_ON

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

userfaultfd: release page in error path to avoid BUG_ON

Consider the following sequence of events:

1. Userspace issues a UFFD ioctl, which ends up calling into
shmem_mfill_atomic_pte(). We successfully account the blocks, we
shmem_alloc_page(), but then the copy_from_user() fails. We return
-ENOENT. We don't release the page we allocated.
2. Our caller detects this error code, tries the copy_from_user() after
dropping the mmap_lock, and retries, calling back into
shmem_mfill_atomic_pte().
3. Meanwhile, let's say another process filled up the tmpfs being used.
4. So shmem_mfill_atomic_pte() fails to account blocks this time, and
immediately returns - without releasing the page.

This triggers a BUG_ON in our caller, which asserts that the page
should always be consumed, unless -ENOENT is returned.

To fix this, detect if we have such a "dangling" page when accounting
fails, and if so, release it before returning.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: userfaultfd: publicar página en ruta de error para evitar BUG_ON Considere la siguiente secuencia de eventos: 1. Userspace emite un ioctl UFFD, que termina llamando a shmem_mfill_atomic_pte(). Contamos con éxito los bloques, usamos shmem_alloc_page(), pero luego copy_from_user() falla. Volvemos -ENOENT. No publicamos la página que asignamos. 2. Nuestra persona que llama detecta este código de error, intenta copiar_from_user() después de descartar mmap_lock y vuelve a intentarlo, volviendo a llamar a shmem_mfill_atomic_pte(). 3. Mientras tanto, digamos que otro proceso llenó los tmpfs que se estaban utilizando. 4. Entonces shmem_mfill_atomic_pte() no logra bloquear la cuenta esta vez y regresa inmediatamente, sin liberar la página. Esto desencadena un BUG_ON en nuestra persona que llama, que afirma que la página siempre debe consumirse, a menos que se devuelva -ENOENT. Para solucionar este problema, detectar si tenemos esa página "colgante" cuando falla la contabilidad y, en caso afirmativo, liberarla antes de regresar.

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-27 CVE Reserved
  • 2024-02-28 CVE Published
  • 2024-02-29 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 4.14.233
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 4.14.233"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 4.19.191
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 4.19.191"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 5.4.120
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.4.120"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 5.10.38
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.10.38"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 5.11.22
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.11.22"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 5.12.5
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.12.5"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.11 < 5.13
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.13"
en
Affected