CVE-2021-46988

userfaultfd: release page in error path to avoid BUG_ON

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

userfaultfd: release page in error path to avoid BUG_ON

Consider the following sequence of events:

1. Userspace issues a UFFD ioctl, which ends up calling into
shmem_mfill_atomic_pte(). We successfully account the blocks, we
shmem_alloc_page(), but then the copy_from_user() fails. We return
-ENOENT. We don't release the page we allocated.
2. Our caller detects this error code, tries the copy_from_user() after
dropping the mmap_lock, and retries, calling back into
shmem_mfill_atomic_pte().
3. Meanwhile, let's say another process filled up the tmpfs being used.
4. So shmem_mfill_atomic_pte() fails to account blocks this time, and
immediately returns - without releasing the page.

This triggers a BUG_ON in our caller, which asserts that the page
should always be consumed, unless -ENOENT is returned.

To fix this, detect if we have such a "dangling" page when accounting
fails, and if so, release it before returning.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: userfaultfd: publicar página en ruta de error para evitar BUG_ON Considere la siguiente secuencia de eventos: 1. Userspace emite un ioctl UFFD, que termina llamando a shmem_mfill_atomic_pte(). Contamos con éxito los bloques, usamos shmem_alloc_page(), pero luego copy_from_user() falla. Volvemos -ENOENT. No publicamos la página que asignamos. 2. Nuestra persona que llama detecta este código de error, intenta copiar_from_user() después de descartar mmap_lock y vuelve a intentarlo, volviendo a llamar a shmem_mfill_atomic_pte(). 3. Mientras tanto, digamos que otro proceso llenó los tmpfs que se estaban utilizando. 4. Entonces shmem_mfill_atomic_pte() no logra bloquear la cuenta esta vez y regresa inmediatamente, sin liberar la página. Esto desencadena un BUG_ON en nuestra persona que llama, que afirma que la página siempre debe consumirse, a menos que se devuelva -ENOENT. Para solucionar este problema, detectar si tenemos esa página "colgante" cuando falla la contabilidad y, en caso afirmativo, liberarla antes de regresar.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-27 CVE Reserved
2024-02-28 CVE Published
2024-02-29 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/cb658a453b9327ce96ce5222c24d162b5b65b564	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/319116227e52d49eee671f0aa278bac89b3c1b69	2021-05-22
https://git.kernel.org/stable/c/07c9b834c97d0fa3402fb7f3f3b32df370a6ff1f	2021-05-22
https://git.kernel.org/stable/c/b3f1731c6d7fbc1ebe3ed8eff6d6bec56d76ff43	2021-05-19
https://git.kernel.org/stable/c/140cfd9980124aecb6c03ef2e69c72d0548744de	2021-05-19
https://git.kernel.org/stable/c/ad53127973034c63b5348715a1043d0e80ceb330	2021-05-19
https://git.kernel.org/stable/c/2d59a0ed8b26b8f3638d8afc31f839e27759f1f6	2021-05-19
https://git.kernel.org/stable/c/7ed9d238c7dbb1fdb63ad96a6184985151b0171c	2021-05-15

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.11 < 4.14.233 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 4.14.233"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.11 < 4.19.191 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 4.19.191"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.11 < 5.4.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.4.120"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.11 < 5.10.38 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.10.38"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.11 < 5.11.22 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.11.22"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.11 < 5.12.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.12.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.11 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.11 < 5.13"		en		Affected