CVE-2021-47338

fbmem: Do not delete the mode that is still in use

Severity Score

5.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

fbmem: Do not delete the mode that is still in use

The execution of fb_delete_videomode() is not based on the result of the
previous fbcon_mode_deleted(). As a result, the mode is directly deleted,
regardless of whether it is still in use, which may cause UAF.

==================================================================
BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \ndrivers/video/fbdev/core/modedb.c:924
Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962

CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ...
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x137/0x1be lib/dump_stack.c:118
print_address_description+0x6c/0x640 mm/kasan/report.c:385
__kasan_report mm/kasan/report.c:545 [inline]
kasan_report+0x13d/0x1e0 mm/kasan/report.c:562
fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924
fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746
fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975
do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 18960:
kasan_save_stack mm/kasan/common.c:48 [inline]
kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0x108/0x140 mm/kasan/common.c:422
slab_free_hook mm/slub.c:1541 [inline]
slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574
slab_free mm/slub.c:3139 [inline]
kfree+0xca/0x3d0 mm/slub.c:4121
fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104
fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978
do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9

En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: fbmem: No elimina el modo que aún está en uso. La ejecución de fb_delete_videomode() no se basa en el resultado del fbcon_mode_deleted() anterior. Como resultado, el modo se elimina directamente, independientemente de si todavía está en uso, lo que puede causar UAF. ==================================================== ================ BUG: KASAN: use-after-free en fb_mode_is_equal+0x36e/0x5e0 \ drivers/video/fbdev/core/modedb.c:924 Lectura de tamaño 4 en addr ffff88807e0ddb1c por tarea syz-executor.0/18962 CPU: 2 PID: 18962 Comm: syz-executor.0 No contaminado 5.10.45-rc1+ #3 Nombre de hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS .. Seguimiento de llamadas: __dump_stack lib/dump_stack.c:77 [en línea] dump_stack+0x137/0x1be lib/dump_stack.c:118 print_address_description+0x6c/0x640 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c: 545 [en línea] kasan_report+0x13d/0x1e0 mm/kasan/report.c:562 fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924 fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon .c:2746 fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [en línea ] __do_sys_ioctl fs/ioctl.c:753 [en línea] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 Entry_SYSCALL_64_after_hwframe+0x44/0xa9 Liberado por tarea 18960: kasan_save_stack mm/kasan/common.c:48 [en línea] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x108/0x140 mm/kasan/ common.c:422 slab_free_hook mm/slub.c:1541 [en línea] slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574 slab_free mm/slub.c:3139 [en línea] kfree+0xca/0x3d0 mm/slub.c: 4121 fb_delete_videomode+0x56a/0x820 controladores/video/fbdev/core/modedb.c:1104 fb_set_var+0x1f3/0xdb0 controladores/video/fbdev/core/fbmem.c:978 do_fb_ioctl+0x4d9/0x6e0 controladores/video/fbdev/core/ fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [en línea] __do_sys_ioctl fs/ioctl.c:753 [en línea] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/ common.c:46 entrada_SYSCALL_64_after_hwframe+0x44/0xa9

A vulnerability was found in the Linux kernel's fbmem subsystem. This issue arises when the system attempts to delete a video mode that is still in use, leading to potential use-after-free errors. This improper handling can result in system crashes or undefined behavior when accessing freed memory.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/13ff178ccd6d3b8074c542a911300b79c4eec255	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/359311b85ebec7c07c3a08ae2f3def946cad33fa	2021-07-20
https://git.kernel.org/stable/c/087bff9acd2ec6db3f61aceb3224bde90fe0f7f8	2021-07-20
https://git.kernel.org/stable/c/f193509afc7ff37a46862610c93b896044d5b693	2021-07-20
https://git.kernel.org/stable/c/d6e76469157d8f240e5dec6f8411aa8d306b1126	2021-07-20
https://git.kernel.org/stable/c/0af778269a522c988ef0b4188556aba97fb420cc	2021-07-13

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-47338	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2282422	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.4.134 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.4.134"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.10.52 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.10.52"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.12.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.12.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.13.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.13.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.3 < 5.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.3 < 5.14"		en		Affected