CVE-2021-47334

misc/libmasm/module: Fix two use after free in ibmasm_init_one

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

misc/libmasm/module: Fix two use after free in ibmasm_init_one

In ibmasm_init_one, it calls ibmasm_init_remote_input_dev().
Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are
allocated by input_allocate_device(), and assigned to
sp->remote.mouse_dev and sp->remote.keybd_dev respectively.

In the err_free_devices error branch of ibmasm_init_one,
mouse_dev and keybd_dev are freed by input_free_device(), and return
error. Then the execution runs into error_send_message error branch
of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called
to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.

My patch add a "error_init_remote" label to handle the error of
ibmasm_init_remote_input_dev(), to avoid the uaf bugs.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: misc/libmasm/module: corrige dos use after free en ibmasm_init_one. En ibmasm_init_one, llama a ibmasm_init_remote_input_dev(). Dentro de ibmasm_init_remote_input_dev, mouse_dev y keybd_dev son asignados por input_allocate_device() y asignados a sp->remote.mouse_dev y sp->remote.keybd_dev respectivamente. En la rama de error err_free_devices de ibmasm_init_one, mouse_dev y keybd_dev se liberan mediante input_free_device() y devuelven un error. Luego, la ejecución se ejecuta en la rama de error error_send_message de ibmasm_init_one, donde se llama a ibmasm_free_remote_input_dev(sp) para cancelar el registro de sp->remote.mouse_dev y sp->remote.keybd_dev liberados. Mi parche agrega una etiqueta "error_init_remote" para manejar el error de ibmasm_init_remote_input_dev(), para evitar los errores de uaf.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/1512e7dc5eb08b7d92a12e2bfcd9cb8c4a1ec069	2021-07-20
https://git.kernel.org/stable/c/29ba8e2ba89ee2862a26d91204dd5fe77ceee25a	2021-07-20
https://git.kernel.org/stable/c/5b06ca113bf197aab2ab61288f42506e0049fbab	2021-07-20
https://git.kernel.org/stable/c/481a76d4749ee3a27f902ba213fdcbb4bb39720e	2021-07-20
https://git.kernel.org/stable/c/38660031e80eaa6cc9370b031c180612f414b00d	2021-07-20
https://git.kernel.org/stable/c/b9c87ce3bc6331f82811a8cf8e930423c22523a3	2021-07-20
https://git.kernel.org/stable/c/ef1067d2baa847d53c9988510d99fb494de4d12c	2021-07-20
https://git.kernel.org/stable/c/a7268e8a227d5a4f0bd1584f556246b0224ab274	2021-07-20
https://git.kernel.org/stable/c/7272b591c4cb9327c43443f67b8fbae7657dd9ae	2021-05-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.4.276 Search vendor "Linux" for product "Linux Kernel" and version " < 4.4.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.9.276 Search vendor "Linux" for product "Linux Kernel" and version " < 4.9.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.14.240 Search vendor "Linux" for product "Linux Kernel" and version " < 4.14.240"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.19.198 Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.198"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.134 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.134"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.52 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.52"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.12.19 Search vendor "Linux" for product "Linux Kernel" and version " < 5.12.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.13.4 Search vendor "Linux" for product "Linux Kernel" and version " < 5.13.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.14 Search vendor "Linux" for product "Linux Kernel" and version " < 5.14"		en		Affected