CVE-2021-47012

RDMA/siw: Fix a use after free in siw_alloc_mr

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix a use after free in siw_alloc_mr

Our code analyzer reported a UAF.

In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of
siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via
kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a
freed object. After, the execution continue up to the err_out branch of
siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).

My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {}
section, to avoid the uaf.

En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: RDMA/siw: Corrige un use after free en siw_alloc_mr Nuestro analizador de código informó un UAF. En siw_alloc_mr(), llama a siw_mr_add_mem(mr,..). En la implementación de siw_mr_add_mem(), mem se asigna a mr->mem y luego mem se libera mediante kfree(mem) si xa_alloc_ciclic() falla. Aquí, mr->mem todavía apunta a un objeto liberado. Después, la ejecución continúa hasta la rama err_out de siw_alloc_mr, y el mr->mem liberado se usa en siw_mr_drop_mem(mr). Mi parche mueve "mr->mem = mem" detrás de la sección if (xa_alloc_ciclic(..)<0) {}, para evitar el uaf.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-27 CVE Reserved
2024-02-28 CVE Published
2024-02-29 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/2251334dcac9eb337575d8767e2a6a7e81848f7f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4	2021-05-14
https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c	2021-05-14
https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4	2021-05-14
https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155	2021-05-14
https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63	2021-04-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.4.119 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.4.119"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.10.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.10.37"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.11.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.11.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.12.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.12.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.13"		en		Affected