CVE-2021-47638

ubifs: rename_whiteout: Fix double free for whiteout_ui->data

Time Line

Published

2024-03-19

Updated

2024-03-19

Firt exploit

2024-03-19

Overview

Descriptions (1)

MITRE

CWE (0)

CAPEC (-)

Risk

CVSS Score

SSVC

KEV

EPSS

Affected Products (-)

Vendors (1)

linux

Products (1)

linux_kernel

Versions (8)

>= 4.9 < 4.14.276, >= 4.9 < 4.19.238, >= 4.9 < 5.4.189, >= 4.9 < 5.10.110, >= 4.9 < 5.15.33, >= 4.9 < 5.16.19, >= 4.9 < 5.17.2, >= 4.9 < 5.18

Intel Resources (-)

Advisories (-)

Exploits (-)

Plugins (-)

References (9)

General (1)

kernel

Exploits & POcs (-)

Patches (8)

kernel

Advisories (-)

Summary

Descriptions

MITRE

In the Linux kernel, the following vulnerability has been resolved: ubifs: rename_whiteout: Fix double free for whiteout_ui->data 'whiteout_ui->data' will be freed twice if space budget fail for
rename whiteout operation as following process: rename_whiteout dev = kmalloc whiteout_ui->data = dev kfree(whiteout_ui->data) // Free first time iput(whiteout) ubifs_free_inode kfree(ui->data) // Double free! KASAN reports:
==================================================================
BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70
Call Trace: kfree+0x117/0x490 ubifs_free_inode+0x4f/0x70 [ubifs] i_callback+0x30/0x60 rcu_do_batch+0x366/0xac0 __do_softirq+0x133/0x57f Allocated by task 1506: kmem_cache_alloc_trace+0x3c2/0x7a0 do_rename+0x9b7/0x1150 [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80 Freed by task 1506: kfree+0x117/0x490 do_rename.cold+0x53/0x8a [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80 The buggy address belongs to the object at ffff88810238bed8 which
belongs to the cache kmalloc-8 of size 8
================================================================== Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused
assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode()
-> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it
(because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release', and the nlink of whiteout inode is 0).

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-02-26 CVE Reserved
2025-02-26 CVE Published
2025-02-26 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

Threat Intelligence Resources (0)

Advisories (0)
Exploits (0)

Security Advisory details:

Select an advisory to view details here.

Select	Title	Date

Select an exploit to view details here.

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/9e0a1fff8db56eaaebb74b4a3ef65f86811c4798	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8b3c7be16f3f4dfd6e15ac651484e59d3fa36274	2022-04-20
https://git.kernel.org/stable/c/2b3236ecf96db7af5836e1366ce39ace8ce832fa	2022-04-15
https://git.kernel.org/stable/c/14276d38c89a170363e90b6ac0a53c3cf61b87fc	2022-04-15
https://git.kernel.org/stable/c/a90e2dbe66d2647ff95a0442ad2e86482d977fd8	2022-04-08
https://git.kernel.org/stable/c/2ad07009c459e56ebdcc089d850d664660fdb742	2022-04-08
https://git.kernel.org/stable/c/b9a937f096e608b3368c1abc920d4d640ba2c94f	2022-04-08
https://git.kernel.org/stable/c/6d7a158a7363c1f6604aa47ae1a280a5c65123dd	2022-04-08
https://git.kernel.org/stable/c/40a8f0d5e7b3999f096570edab71c345da812e3e	2022-01-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 4.14.276 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 4.14.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 4.19.238 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 4.19.238"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.4.189 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.4.189"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.10.110 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.10.110"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.15.33 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.15.33"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.16.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.16.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.17.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.17.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9 < 5.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.18"		en		Affected

CVE-2021-47638

ubifs: rename_whiteout: Fix double free for whiteout_ui->data

Severity Score

Exploit Likelihood

Affected Versions

Public Exploits

Exploited in Wild

Decision

Summary

Descriptions

CVSS Scores

SSVC

Timeline

CWE

CAPEC

Threat Intelligence Resources (0)

References (9)

Affected Vendors, Products, and Versions