CVE-2021-47634

ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl

Time Line

Published

2024-03-19

Updated

2024-03-19

Firt exploit

2024-03-19

Overview

Descriptions (1)

MITRE

CWE (0)

CAPEC (-)

Risk

CVSS Score

SSVC

KEV

EPSS

Affected Products (-)

Vendors (1)

linux

Products (1)

linux_kernel

Versions (17)

>= 4.8 < 4.14.276, >= 4.8 < 4.19.238, >= 4.8 < 5.4.189, >= 4.8 < 5.10.110, >= 4.8 < 5.15.33, >= 4.8 < 5.16.19, >= 4.8 < 5.17.2, >= 4.8 < 5.18, 3.2.84, 3.10.103, 3.12.63, 3.14.77, 3.16.39, 3.18.40, 4.1.31, 4.4.19, 4.7.2

Intel Resources (-)

Advisories (-)

Exploits (-)

Plugins (-)

References (18)

General (10)

kernel

Exploits & POcs (-)

Patches (8)

kernel

Advisories (-)

Summary

Descriptions

MITRE

In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held
by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be
concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.
ubi_detach is bug-free because it uses reference counting to prevent
concurrency. However, uif_init and uif_close in ubi_attach may race with
ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3
_______________________|________________________|______________________
ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3
_______________________|________________________|______________________
ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device
"available" before it becomes accessible via sysfs. Therefore, we
roll back the modification. We will fix the race condition between
ubi device creation and udev by removing ubi_get_device in
vol_attribute_show and dev_attribute_show.This avoids accessing
uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during
sysfs execution. However, now kernfs ensures that devices will not
be deleted before all reference counting are released.
The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-02-26 CVE Reserved
2025-02-26 CVE Published
2025-02-26 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

Threat Intelligence Resources (0)

Advisories (0)
Exploits (0)

Security Advisory details:

Select an advisory to view details here.

Select	Title	Date

Select an exploit to view details here.

References (18)

URL	Tag	Source
https://git.kernel.org/stable/c/714fb87e8bc05ff78255afc0dca981e8c5242785	Vuln. Introduced
https://git.kernel.org/stable/c/016820bde3f0895d09fcad370415085ba0d1bd4a	Vuln. Introduced
https://git.kernel.org/stable/c/12f567db822241090b90c5645ea9146f6cf8fa42	Vuln. Introduced
https://git.kernel.org/stable/c/31b0fca8ab9b9786fe6e5027c4a8587b47db5abf	Vuln. Introduced
https://git.kernel.org/stable/c/6117840dec60344167038f9511c3770d4c096eaa	Vuln. Introduced
https://git.kernel.org/stable/c/bd7d3de27e7e1acce2e276074a498a82e0834663	Vuln. Introduced
https://git.kernel.org/stable/c/cdf25333b42fb889f086ef65d0734d0dbdc49f4e	Vuln. Introduced
https://git.kernel.org/stable/c/ae32d1b98ba29408df87c0ed47877ca0f248eae7	Vuln. Introduced
https://git.kernel.org/stable/c/4056337b1e81a1b137aa562133dc5430cd2fd19e	Vuln. Introduced
https://git.kernel.org/stable/c/f3db4c640b32485105554e0bfd16bbde585f6fb0	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac	2022-04-20
https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974	2022-04-15
https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8	2022-04-15
https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178	2022-04-08
https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888	2022-04-08
https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8	2022-04-08
https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b	2022-04-08
https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e	2022-01-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 4.14.276 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 4.14.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 4.19.238 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 4.19.238"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 5.4.189 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 5.4.189"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 5.10.110 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 5.10.110"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 5.15.33 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 5.15.33"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 5.16.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 5.16.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 5.17.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 5.17.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.8 < 5.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.8 < 5.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.2.84 Search vendor "Linux" for product "Linux Kernel" and version "3.2.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.10.103 Search vendor "Linux" for product "Linux Kernel" and version "3.10.103"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.12.63 Search vendor "Linux" for product "Linux Kernel" and version "3.12.63"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.14.77 Search vendor "Linux" for product "Linux Kernel" and version "3.14.77"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.16.39 Search vendor "Linux" for product "Linux Kernel" and version "3.16.39"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				3.18.40 Search vendor "Linux" for product "Linux Kernel" and version "3.18.40"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.1.31 Search vendor "Linux" for product "Linux Kernel" and version "4.1.31"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.4.19 Search vendor "Linux" for product "Linux Kernel" and version "4.4.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.7.2 Search vendor "Linux" for product "Linux Kernel" and version "4.7.2"		en		Affected

CVE-2021-47634

ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl

Severity Score

Exploit Likelihood

Affected Versions

Public Exploits

Exploited in Wild

Decision

Summary

Descriptions

CVSS Scores

SSVC

Timeline

CWE

CAPEC

Threat Intelligence Resources (0)

References (18)

Affected Vendors, Products, and Versions