CVE-2021-47318

arch_topology: Avoid use-after-free for scale_freq_data

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: arch_topology: Avoid use-after-free for scale_freq_data Currently topology_scale_freq_tick() (which gets called from
scheduler_tick()) may end up using a pointer to "struct
scale_freq_data", which was previously cleared by
topology_clear_scale_freq_source(), as there is no protection in place
here. The users of topology_clear_scale_freq_source() though needs a
guarantee that the previously cleared scale_freq_data isn't used
anymore, so they can free the related resources. Since topology_scale_freq_tick() is called from scheduler tick, we don't
want to add locking in there. Use the RCU update mechanism instead
(which is already used by the scheduler's utilization update path) to
guarantee race free updates here. synchronize_rcu() makes sure that all RCU critical sections that started
before it is called, will finish before it returns. And so the callers
of topology_clear_scale_freq_source() don't need to worry about their
callback getting called anymore.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arch_topology: Evite el use after free para scale_freq_data. Actualmente, topology_scale_freq_tick() (que se llama desde Scheduler_tick()) puede terminar usando un puntero a "struct scale_freq_data", que anteriormente era borrado por topology_clear_scale_freq_source(), ya que no existe ninguna protección aquí. Sin embargo, los usuarios de topology_clear_scale_freq_source() necesitan una garantía de que el scale_freq_data previamente borrado ya no se utiliza, para que puedan liberar los recursos relacionados. Dado que topology_scale_freq_tick() se llama desde el tick del programador, no queremos agregar bloqueo allí. Utilice en su lugar el mecanismo de actualización de RCU (que ya se utiliza en la ruta de actualización de utilización del programador) para garantizar actualizaciones sin ejecucións aquí. sincronizar_rcu() se asegura de que todas las secciones críticas de RCU que comenzaron antes de ser llamada terminen antes de que regrese. Y así, las personas que llaman a topology_clear_scale_freq_source() ya no necesitan preocuparse de que se llame a su devolución de llamada.

In the Linux kernel, the following vulnerability has been resolved: arch_topology: Avoid use-after-free for scale_freq_data Currently topology_scale_freq_tick() (which gets called from scheduler_tick()) may end up using a pointer to "struct scale_freq_data", which was previously cleared by topology_clear_scale_freq_source(), as there is no protection in place here. The users of topology_clear_scale_freq_source() though needs a guarantee that the previously cleared scale_freq_data isn't used anymore, so they can free the related resources. Since topology_scale_freq_tick() is called from scheduler tick, we don't want to add locking in there. Use the RCU update mechanism instead (which is already used by the scheduler's utilization update path) to guarantee race free updates here. synchronize_rcu() makes sure that all RCU critical sections that started before it is called, will finish before it returns. And so the callers of topology_clear_scale_freq_source() don't need to worry about their callback getting called anymore.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://git.kernel.org/stable/c/01e055c120a46e78650b5f903088badbbdaae9ad	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/ccdf7e073170886bc370c613e269de610a794c4a	2021-07-20
https://git.kernel.org/stable/c/83150f5d05f065fb5c12c612f119015cabdcc124	2021-07-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.13.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.13.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.14"		en		Affected