CVE-2021-47427

scsi: iscsi: Fix iscsi_task use after free

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

scsi: iscsi: Fix iscsi_task use after free

Commit d39df158518c ("scsi: iscsi: Have abort handler get ref to conn")
added iscsi_get_conn()/iscsi_put_conn() calls during abort handling but
then also changed the handling of the case where we detect an already
completed task where we now end up doing a goto to the common put/cleanup
code. This results in a iscsi_task use after free, because the common
cleanup code will do a put on the iscsi_task.

This reverts the goto and moves the iscsi_get_conn() to after we've checked
if the iscsi_task is valid.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: iscsi: corrige el uso after free de iscsi_task. Confirmación d39df158518c ("scsi: iscsi: Have abort handler get ref to conn") se agregaron llamadas iscsi_get_conn()/iscsi_put_conn() durante el manejo de abortos pero luego también cambió el manejo del caso en el que detectamos una tarea ya completada y ahora terminamos haciendo un acceso al código común de put/cleanup. Esto da como resultado un uso de iscsi_task después de la liberación, porque el código de limpieza común colocará iscsi_task. Esto revierte el ir a y mueve iscsi_get_conn() a después de haber verificado si iscsi_task es válido.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://git.kernel.org/stable/c/d39df158518ccc3bf24ee18082b5e100c8f014aa	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/1642f51ac0d4f2b55d5748094c49ff8f7191b93c	2021-10-13
https://git.kernel.org/stable/c/258aad75c62146453d03028a44f2f1590d58e1f6	2021-10-05

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 5.14.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 5.14.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 5.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 5.15"		en		Affected