CVE-2021-47634 (GCVE-0-2021-47634)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:54 – Updated: 2025-05-04 12:41
VLAI?
Title
ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 714fb87e8bc05ff78255afc0dca981e8c5242785 , < f149b1bd213820363731aa119e5011ca892a2aac (git)
Affected: 714fb87e8bc05ff78255afc0dca981e8c5242785 , < a8ecee49259f8f78d91ddb329ab2be7e6fd01974 (git)
Affected: 714fb87e8bc05ff78255afc0dca981e8c5242785 , < d727fd32cbd1abf3465f607021bc9c746f17b5a8 (git)
Affected: 714fb87e8bc05ff78255afc0dca981e8c5242785 , < 432b057f8e847ae5a2306515606f8d2defaca178 (git)
Affected: 714fb87e8bc05ff78255afc0dca981e8c5242785 , < 1a3f1cf87054833242fcd0218de0481cf855f888 (git)
Affected: 714fb87e8bc05ff78255afc0dca981e8c5242785 , < c32fe764191b8ae8b128588beb96e3718d9179d8 (git)
Affected: 714fb87e8bc05ff78255afc0dca981e8c5242785 , < 5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b (git)
Affected: 714fb87e8bc05ff78255afc0dca981e8c5242785 , < 3cbf0e392f173ba0ce425968c8374a6aa3e90f2e (git)
Affected: 016820bde3f0895d09fcad370415085ba0d1bd4a (git)
Affected: 12f567db822241090b90c5645ea9146f6cf8fa42 (git)
Affected: 31b0fca8ab9b9786fe6e5027c4a8587b47db5abf (git)
Affected: 6117840dec60344167038f9511c3770d4c096eaa (git)
Affected: bd7d3de27e7e1acce2e276074a498a82e0834663 (git)
Affected: cdf25333b42fb889f086ef65d0734d0dbdc49f4e (git)
Affected: ae32d1b98ba29408df87c0ed47877ca0f248eae7 (git)
Affected: 4056337b1e81a1b137aa562133dc5430cd2fd19e (git)
Affected: f3db4c640b32485105554e0bfd16bbde585f6fb0 (git)
Create a notification for this product.
    Linux Linux Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 4.14.276 , ≤ 4.14.* (semver)
Unaffected: 4.19.238 , ≤ 4.19.* (semver)
Unaffected: 5.4.189 , ≤ 5.4.* (semver)
Unaffected: 5.10.110 , ≤ 5.10.* (semver)
Unaffected: 5.15.33 , ≤ 5.15.* (semver)
Unaffected: 5.16.19 , ≤ 5.16.* (semver)
Unaffected: 5.17.2 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-47634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:17:56.634866Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:36.034Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/ubi/build.c",
            "drivers/mtd/ubi/vmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f149b1bd213820363731aa119e5011ca892a2aac",
              "status": "affected",
              "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
              "versionType": "git"
            },
            {
              "lessThan": "a8ecee49259f8f78d91ddb329ab2be7e6fd01974",
              "status": "affected",
              "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
              "versionType": "git"
            },
            {
              "lessThan": "d727fd32cbd1abf3465f607021bc9c746f17b5a8",
              "status": "affected",
              "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
              "versionType": "git"
            },
            {
              "lessThan": "432b057f8e847ae5a2306515606f8d2defaca178",
              "status": "affected",
              "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
              "versionType": "git"
            },
            {
              "lessThan": "1a3f1cf87054833242fcd0218de0481cf855f888",
              "status": "affected",
              "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
              "versionType": "git"
            },
            {
              "lessThan": "c32fe764191b8ae8b128588beb96e3718d9179d8",
              "status": "affected",
              "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
              "versionType": "git"
            },
            {
              "lessThan": "5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b",
              "status": "affected",
              "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
              "versionType": "git"
            },
            {
              "lessThan": "3cbf0e392f173ba0ce425968c8374a6aa3e90f2e",
              "status": "affected",
              "version": "714fb87e8bc05ff78255afc0dca981e8c5242785",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "016820bde3f0895d09fcad370415085ba0d1bd4a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "12f567db822241090b90c5645ea9146f6cf8fa42",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "31b0fca8ab9b9786fe6e5027c4a8587b47db5abf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6117840dec60344167038f9511c3770d4c096eaa",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bd7d3de27e7e1acce2e276074a498a82e0834663",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cdf25333b42fb889f086ef65d0734d0dbdc49f4e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ae32d1b98ba29408df87c0ed47877ca0f248eae7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4056337b1e81a1b137aa562133dc5430cd2fd19e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f3db4c640b32485105554e0bfd16bbde585f6fb0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/ubi/build.c",
            "drivers/mtd/ubi/vmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.110",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.276",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.238",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.189",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.110",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.33",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.19",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.84",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.63",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.77",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.40",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.7.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\n\nHulk Robot reported a KASAN report about use-after-free:\n ==================================================================\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\n [...]\n Call Trace:\n  klist_dec_and_del+0xa7/0x4a0\n  klist_put+0xc7/0x1a0\n  device_del+0x4d4/0xed0\n  cdev_device_del+0x1a/0x80\n  ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\n  ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\n\n Allocated by task 1414:\n  device_add+0x60a/0x18b0\n  cdev_device_add+0x103/0x170\n  ubi_create_volume+0x1118/0x1a10 [ubi]\n  ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\n\n Freed by task 1385:\n  cdev_device_del+0x1a/0x80\n  ubi_remove_volume+0x438/0x6c0 [ubi]\n  ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\n [...]\n ==================================================================\n\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\nby ubi_cdev_ioctl is ubi-\u003edevice_mutex. Therefore, the two locks can be\nconcurrent.\n\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\nubi_detach is bug-free because it uses reference counting to prevent\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\nubi_cdev_ioctl.\n\nuif_init will race with ubi_cdev_ioctl as in the following stack.\n           cpu1                   cpu2                  cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n  uif_init\n                           ubi_cdev_ioctl\n                            ubi_create_volume\n                             cdev_device_add\n   ubi_add_volume\n   // sysfs exist\n   kill_volumes\n                                                    ubi_cdev_ioctl\n                                                     ubi_remove_volume\n                                                      cdev_device_del\n                                                       // first free\n    ubi_free_volume\n     cdev_del\n     // double free\n   cdev_device_del\n\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\n           cpu1                   cpu2                  cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n  uif_init\n                           ubi_cdev_ioctl\n                            ubi_create_volume\n                             cdev_device_add\n  ubi_debugfs_init_dev\n  //error goto out_uif;\n  uif_close\n   kill_volumes\n                                                    ubi_cdev_ioctl\n                                                     ubi_remove_volume\n                                                      cdev_device_del\n                                                       // first free\n    ubi_free_volume\n    // double free\n\nThe cause of this problem is that commit 714fb87e8bc0 make device\n\"available\" before it becomes accessible via sysfs. Therefore, we\nroll back the modification. We will fix the race condition between\nubi device creation and udev by removing ubi_get_device in\nvol_attribute_show and dev_attribute_show.This avoids accessing\nuninitialized ubi_devices[ubi_num].\n\nubi_get_device is used to prevent devices from being deleted during\nsysfs execution. However, now kernfs ensures that devices will not\nbe deleted before all reference counting are released.\nThe key process is shown in the following stack.\n\ndevice_del\n  device_remove_attrs\n    device_remove_groups\n      sysfs_remove_groups\n        sysfs_remove_group\n          remove_files\n            kernfs_remove_by_name\n              kernfs_remove_by_name_ns\n                __kernfs_remove\n                  kernfs_drain"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:41:47.680Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974"
        },
        {
          "url": "https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888"
        },
        {
          "url": "https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e"
        }
      ],
      "title": "ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47634",
    "datePublished": "2025-02-26T01:54:09.135Z",
    "dateReserved": "2025-02-26T01:48:21.518Z",
    "dateUpdated": "2025-05-04T12:41:47.680Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47634\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T18:17:56.634866Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T18:17:58.309Z\"}}], \"cna\": {\"title\": \"ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"f149b1bd213820363731aa119e5011ca892a2aac\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"a8ecee49259f8f78d91ddb329ab2be7e6fd01974\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"d727fd32cbd1abf3465f607021bc9c746f17b5a8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"432b057f8e847ae5a2306515606f8d2defaca178\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"1a3f1cf87054833242fcd0218de0481cf855f888\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"c32fe764191b8ae8b128588beb96e3718d9179d8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"714fb87e8bc05ff78255afc0dca981e8c5242785\", \"lessThan\": \"3cbf0e392f173ba0ce425968c8374a6aa3e90f2e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"016820bde3f0895d09fcad370415085ba0d1bd4a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"12f567db822241090b90c5645ea9146f6cf8fa42\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"31b0fca8ab9b9786fe6e5027c4a8587b47db5abf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6117840dec60344167038f9511c3770d4c096eaa\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"bd7d3de27e7e1acce2e276074a498a82e0834663\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"cdf25333b42fb889f086ef65d0734d0dbdc49f4e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ae32d1b98ba29408df87c0ed47877ca0f248eae7\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4056337b1e81a1b137aa562133dc5430cd2fd19e\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f3db4c640b32485105554e0bfd16bbde585f6fb0\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/mtd/ubi/build.c\", \"drivers/mtd/ubi/vmt.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.14.276\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.14.*\"}, {\"status\": \"unaffected\", \"version\": \"4.19.238\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.189\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.110\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.33\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16.19\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.16.*\"}, {\"status\": \"unaffected\", \"version\": \"5.17.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.17.*\"}, {\"status\": \"unaffected\", \"version\": \"5.18\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/mtd/ubi/build.c\", \"drivers/mtd/ubi/vmt.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac\"}, {\"url\": \"https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974\"}, {\"url\": \"https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8\"}, {\"url\": \"https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178\"}, {\"url\": \"https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888\"}, {\"url\": \"https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8\"}, {\"url\": \"https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b\"}, {\"url\": \"https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\\n\\nHulk Robot reported a KASAN report about use-after-free:\\n ==================================================================\\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\\n [...]\\n Call Trace:\\n  klist_dec_and_del+0xa7/0x4a0\\n  klist_put+0xc7/0x1a0\\n  device_del+0x4d4/0xed0\\n  cdev_device_del+0x1a/0x80\\n  ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\\n  ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\\n\\n Allocated by task 1414:\\n  device_add+0x60a/0x18b0\\n  cdev_device_add+0x103/0x170\\n  ubi_create_volume+0x1118/0x1a10 [ubi]\\n  ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\\n\\n Freed by task 1385:\\n  cdev_device_del+0x1a/0x80\\n  ubi_remove_volume+0x438/0x6c0 [ubi]\\n  ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\\n [...]\\n ==================================================================\\n\\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\\nby ubi_cdev_ioctl is ubi-\u003edevice_mutex. Therefore, the two locks can be\\nconcurrent.\\n\\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\\nubi_detach is bug-free because it uses reference counting to prevent\\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\\nubi_cdev_ioctl.\\n\\nuif_init will race with ubi_cdev_ioctl as in the following stack.\\n           cpu1                   cpu2                  cpu3\\n_______________________|________________________|______________________\\nctrl_cdev_ioctl\\n ubi_attach_mtd_dev\\n  uif_init\\n                           ubi_cdev_ioctl\\n                            ubi_create_volume\\n                             cdev_device_add\\n   ubi_add_volume\\n   // sysfs exist\\n   kill_volumes\\n                                                    ubi_cdev_ioctl\\n                                                     ubi_remove_volume\\n                                                      cdev_device_del\\n                                                       // first free\\n    ubi_free_volume\\n     cdev_del\\n     // double free\\n   cdev_device_del\\n\\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\\n           cpu1                   cpu2                  cpu3\\n_______________________|________________________|______________________\\nctrl_cdev_ioctl\\n ubi_attach_mtd_dev\\n  uif_init\\n                           ubi_cdev_ioctl\\n                            ubi_create_volume\\n                             cdev_device_add\\n  ubi_debugfs_init_dev\\n  //error goto out_uif;\\n  uif_close\\n   kill_volumes\\n                                                    ubi_cdev_ioctl\\n                                                     ubi_remove_volume\\n                                                      cdev_device_del\\n                                                       // first free\\n    ubi_free_volume\\n    // double free\\n\\nThe cause of this problem is that commit 714fb87e8bc0 make device\\n\\\"available\\\" before it becomes accessible via sysfs. Therefore, we\\nroll back the modification. We will fix the race condition between\\nubi device creation and udev by removing ubi_get_device in\\nvol_attribute_show and dev_attribute_show.This avoids accessing\\nuninitialized ubi_devices[ubi_num].\\n\\nubi_get_device is used to prevent devices from being deleted during\\nsysfs execution. However, now kernfs ensures that devices will not\\nbe deleted before all reference counting are released.\\nThe key process is shown in the following stack.\\n\\ndevice_del\\n  device_remove_attrs\\n    device_remove_groups\\n      sysfs_remove_groups\\n        sysfs_remove_group\\n          remove_files\\n            kernfs_remove_by_name\\n              kernfs_remove_by_name_ns\\n                __kernfs_remove\\n                  kernfs_drain\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.276\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.238\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.189\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.110\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.33\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.16.19\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.17.2\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.18\", \"versionStartIncluding\": \"4.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.2.84\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.10.103\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.12.63\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.14.77\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.16.39\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"3.18.40\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.1.31\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.4.19\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.7.2\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:41:47.680Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47634\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:41:47.680Z\", \"dateReserved\": \"2025-02-26T01:48:21.518Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-26T01:54:09.135Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.