CVE-2021-47505
aio: fix use-after-free due to missing POLLFREE handling
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
aio: fix use-after-free due to missing POLLFREE handling
signalfd_poll() and binder_poll() are special in that they use a
waitqueue whose lifetime is the current task, rather than the struct
file as is normally the case. This is okay for blocking polls, since a
blocking poll occurs within one task; however, non-blocking polls
require another solution. This solution is for the queue to be cleared
before it is freed, by sending a POLLFREE notification to all waiters.
Unfortunately, only eventpoll handles POLLFREE. A second type of
non-blocking poll, aio poll, was added in kernel v4.18, and it doesn't
handle POLLFREE. This allows a use-after-free to occur if a signalfd or
binder fd is polled with aio poll, and the waitqueue gets freed.
Fix this by making aio poll handle POLLFREE.
A patch by Ramji Jiyani <ramjiyani@google.com>
(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)
tried to do this by making aio_poll_wake() always complete the request
inline if POLLFREE is seen. However, that solution had two bugs.
First, it introduced a deadlock, as it unconditionally locked the aio
context while holding the waitqueue lock, which inverts the normal
locking order. Second, it didn't consider that POLLFREE notifications
are missed while the request has been temporarily de-queued.
The second problem was solved by my previous patch. This patch then
properly fixes the use-after-free by handling POLLFREE in a
deadlock-free way. It does this by taking advantage of the fact that
freeing of the waitqueue is RCU-delayed, similar to what eventpoll does.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: aio: corrige el use-after-free debido a la falta de manejo de POLLFREE. signalfd_poll() y binder_poll() son especiales porque usan una cola de espera cuya duración es la tarea actual, en lugar de la struct archivo como es normalmente el caso. Esto está bien para bloquear encuestas, ya que una encuesta de bloqueo ocurre dentro de una tarea; sin embargo, las encuestas sin bloqueo requieren otra solución. Esta solución consiste en despejar la cola antes de liberarla, enviando una notificación POLLFREE a todos los camareros. Desafortunadamente, sólo eventpoll maneja POLLFREE. Un segundo tipo de encuesta sin bloqueo, aio poll, se agregó en el kernel v4.18 y no maneja POLLFREE. Esto permite que se produzca un use-after-free si se sondea un signalfd o un binder fd con aio poll y se libera la cola de espera. Solucione este problema haciendo que la encuesta de aio se maneje POLLFREE. Un parche de Ramji Jiyani (https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com) intentó hacer esto haciendo que aio_poll_wake() siempre completara la solicitud en línea si Se ve POLLFREE. Sin embargo, esa solución tenía dos errores. Primero, introdujo un punto muerto, ya que bloqueó incondicionalmente el contexto aio mientras mantenía el bloqueo de la cola de espera, lo que invierte el orden de bloqueo normal. En segundo lugar, no consideró que las notificaciones de POLLFREE se pierdan mientras la solicitud ha sido retirada temporalmente de la cola. El segundo problema lo resolvió mi parche anterior. Luego, este parche corrige adecuadamente el use-after-free al manejar POLLFREE sin interbloqueos. Lo hace aprovechando el hecho de que la liberación de la cola de espera tiene un retraso de RCU, similar a lo que hace eventpoll.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-22 CVE Reserved
- 2024-05-24 CVE Published
- 2024-05-25 EPSS Updated
- 2024-11-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/2c14fa838cbefc23cf1c73ca167ed85b274b2913 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2021-47505 | 2024-11-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2283448 | 2024-11-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 4.19.221 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 4.19.221" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.4.165 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.4.165" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.10.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.10.85" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.15.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.15.8" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.16" | en |
Affected
| ||||||