CVE-2021-47343

dm btree remove: assign new_root only when removal succeeds

Severity Score

5.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: dm btree remove: assign new_root only when removal succeeds remove_raw() in dm_btree_remove() may fail due to IO read error
(e.g. read the content of origin block fails during shadowing),
and the value of shadow_spine::root is uninitialized, but
the uninitialized value is still assign to new_root in the
end of dm_btree_remove(). For dm-thin, the value of pmd->details_root or pmd->root will become
an uninitialized value, so if trying to read details_info tree again
out-of-bound memory may occur as showed below: general protection fault, probably for non-canonical address 0x3fdcb14c8d7520 CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6 Hardware name: QEMU Standard PC RIP: 0010:metadata_ll_load_ie+0x14/0x30 Call Trace: sm_metadata_count_is_more_than_one+0xb9/0xe0 dm_tm_shadow_block+0x52/0x1c0 shadow_step+0x59/0xf0 remove_raw+0xb2/0x170 dm_btree_remove+0xf4/0x1c0 dm_pool_delete_thin_device+0xc3/0x140 pool_message+0x218/0x2b0 target_message+0x251/0x290 ctl_ioctl+0x1c4/0x4d0 dm_ctl_ioctl+0xe/0x20 __x64_sys_ioctl+0x7b/0xb0 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixing it by only assign new_root when removal succeeds

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: dm btree remove: asigna new_root solo cuando la eliminación se realiza correctamente. remove_raw() en dm_btree_remove() puede fallar debido a un error de lectura de E/S (por ejemplo, la lectura del contenido del bloque de origen falla durante el sombreado), y el valor de shadow_spine::root no está inicializado, pero el valor no inicializado aún se asigna a new_root al final de dm_btree_remove(). Para dm-thin, el valor de pmd->details_root o pmd->root se convertirá en un valor no inicializado, por lo que si intenta leer el árbol de detalles_info nuevamente, puede ocurrir que la memoria esté fuera de los límites, como se muestra a continuación: falla de protección general, probablemente para no usuarios. -dirección canónica 0x3fdcb14c8d7520 CPU: 4 PID: 515 Comm: dmsetup No contaminado 5.13.0-rc6 Nombre de hardware: QEMU PC estándar RIP: 0010:metadata_ll_load_ie+0x14/0x30 Seguimiento de llamadas: sm_metadata_count_is_more_than_one+0xb9/0xe0 m_shadow_block+0x52/0x1c0 sombra_paso+ 0x59/0xf0 remove_raw+0xb2/0x170 dm_btree_remove+0xf4/0x1c0 dm_pool_delete_thin_device+0xc3/0x140 pool_message+0x218/0x2b0 target_message+0x251/0x290 ctl_ioctl+0x1c4/0x4d0 _ctl_ioctl+0xe/0x20 __x64_sys_ioctl+0x7b/0xb0 do_syscall_64+0x40/0xb0 entrada_SYSCALL_64_after_hwframe+ 0x44/0xae Se soluciona asignando new_root únicamente cuando la eliminación se realiza correctamente

In the Linux kernel, the following vulnerability has been resolved: dm btree remove: assign new_root only when removal succeeds remove_raw() in dm_btree_remove() may fail due to IO read error (e.g. read the content of origin block fails during shadowing), and the value of shadow_spine::root is uninitialized, but the uninitialized value is still assign to new_root in the end of dm_btree_remove(). For dm-thin, the value of pmd->details_root or pmd->root will become an uninitialized value, so if trying to read details_info tree again out-of-bound memory may occur as showed below: general protection fault, probably for non-canonical address 0x3fdcb14c8d7520 CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6 Hardware name: QEMU Standard PC RIP: 0010:metadata_ll_load_ie+0x14/0x30 Call Trace: sm_metadata_count_is_more_than_one+0xb9/0xe0 dm_tm_shadow_block+0x52/0x1c0 shadow_step+0x59/0xf0 remove_raw+0xb2/0x170 dm_btree_remove+0xf4/0x1c0 dm_pool_delete_thin_device+0xc3/0x140 pool_message+0x218/0x2b0 target_message+0x251/0x290 ctl_ioctl+0x1c4/0x4d0 dm_ctl_ioctl+0xe/0x20 __x64_sys_ioctl+0x7b/0xb0 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixing it by only assign new_root when removal succeeds

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-12-19 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4c84b3e0728ffe10d89c633694c35a02b5c477dc	2021-07-20
https://git.kernel.org/stable/c/c154775619186781aaf8a99333ac07437a1768d5	2021-07-20
https://git.kernel.org/stable/c/73f27adaa73e3057a9ec464e33c4f54d34ea5de3	2021-07-20
https://git.kernel.org/stable/c/8fbae4a1bdb5b889490cdee929e68540151536e5	2021-07-20
https://git.kernel.org/stable/c/964d57d1962d7e68f0f578f05d9ae4a104d74851	2021-07-19
https://git.kernel.org/stable/c/ba47e65a5de3e0e8270301a409fc63d3129fdb9e	2021-07-19
https://git.kernel.org/stable/c/89bf942314b78d454db92427201421b5dec132d9	2021-07-19
https://git.kernel.org/stable/c/ad365e9351ac2b450e7e79932ff6abf59342d91a	2021-07-19
https://git.kernel.org/stable/c/b6e58b5466b2959f83034bead2e2e1395cca8aeb	2021-06-25

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.4.276 Search vendor "Linux" for product "Linux Kernel" and version " < 4.4.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.9.276 Search vendor "Linux" for product "Linux Kernel" and version " < 4.9.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.14.240 Search vendor "Linux" for product "Linux Kernel" and version " < 4.14.240"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.19.198 Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.198"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.133 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.133"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.51 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.51"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.12.18 Search vendor "Linux" for product "Linux Kernel" and version " < 5.12.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.13.3 Search vendor "Linux" for product "Linux Kernel" and version " < 5.13.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.14 Search vendor "Linux" for product "Linux Kernel" and version " < 5.14"		en		Affected