CVE-2021-47341

{"id": "CVE-2021-47341", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:20.850", "references": [{"url": "https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio\n\nBUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\nRead of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269\n\nCPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132\n show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x110/0x164 lib/dump_stack.c:118\n print_address_description+0x78/0x5c8 mm/kasan/report.c:385\n __kasan_report mm/kasan/report.c:545 [inline]\n kasan_report+0x148/0x1e4 mm/kasan/report.c:562\n check_memory_region_inline mm/kasan/generic.c:183 [inline]\n __asan_load8+0xb4/0xbc mm/kasan/generic.c:252\n kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nAllocated by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475\n kmem_cache_alloc_trace include/linux/slab.h:450 [inline]\n kmalloc include/linux/slab.h:552 [inline]\n kzalloc include/linux/slab.h:664 [inline]\n kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146\n kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nFreed by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track+0x38/0x6c mm/kasan/common.c:56\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355\n __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422\n kasan_slab_free+0x10/0x1c mm/kasan/common.c:431\n slab_free_hook mm/slub.c:1544 [inline]\n slab_free_freelist_hook mm/slub.c:1577 [inline]\n slab_free mm/slub.c:3142 [inline]\n kfree+0x104/0x38c mm/slub.c:4124\n coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102\n kvm_iodevice_destructor include/kvm/iodev.h:61 [inline]\n kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374\n kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/sys\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: KVM: mmio: Arreglar use-after-free Leer en kvm_vm_ioctl_unregister_coalesced_mmio BUG: KASAN: use-after-free en kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../. ./../virt/kvm/coalesced_mmio.c:183 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff0000c03a2500 por tarea syz-executor083/4269 CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 Nombre de hardware: linux ,dummy-virt (DT) Seguimiento de llamadas: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [en l\u00ednea] dump_stack+0x110/0x164 lib/dump_stack.c:118 print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [en l\u00ednea] kasan_report+0x148/0x1e4 mm/kasan /report.c:562 check_memory_region_inline mm/kasan/generic.c:183 [en l\u00ednea] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../ ../virt/kvm/coalesced_mmio.c:183 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [ en l\u00ednea] __do_sys_ioctl fs/ioctl.c:753 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:739 [en l\u00ednea] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [en l\u00ednea ] invoke_syscall arch/arm64/kernel/syscall.c:48 [en l\u00ednea] el0_svc_common arch/arm64/kernel/syscall.c:158 [en l\u00ednea] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c /0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Asignado por tarea 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [en l\u00ednea] kasan_set_track mm/kasan/common.c:56 [en l\u00ednea] __kasan_kmalloc+0xdc/0x120 mm/kasan /common.c:461 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 kmem_cache_alloc_trace include/linux/slab.h:450 [en l\u00ednea] kmalloc include/linux/slab.h:552 [en l\u00ednea] kzalloc include/linux /slab.h:664 [en l\u00ednea] kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146 kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/. ./../../virt/kvm/kvm_main.c:3746 vfs_ioctl fs/ioctl.c:48 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:753 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:739 [en l\u00ednea] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [en l\u00ednea] invoke_syscall arch/arm64/kernel/syscall.c:48 [en l\u00ednea] el0_svc_common arch/arm64/kernel/syscall .c:158 [en l\u00ednea] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/ kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Liberado por la tarea 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c :48 [en l\u00ednea] kasan_set_track+0x38/0x6c mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 kasan_slab_free+0x10 /0x1c mm/kasan/common.c:431 slab_free_hook mm/slub.c:1544 [en l\u00ednea] slab_free_freelist_hook mm/slub.c:1577 [en l\u00ednea] slab_free mm/slub.c:3142 [en l\u00ednea] kfree+0x104/0x38c mm /slub.c:4124 coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102 kvm_iodevice_destructor include/kvm/iodev.h:61 [en l\u00ednea] kvm_io_bus_unregister_dev+ 0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374 kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm /coalesced_mmio.c:186 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [en l\u00ednea] __do_sys_ioctl fs/ioctl .c:753 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:739 ---truncado---"}], "lastModified": "2025-01-14T17:28:39.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41D74A70-26C8-4D11-B4AF-3B88979BBD13", "versionEndExcluding": "5.4.134", "versionStartIncluding": "5.4.119"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3FEC961-161A-4B3B-B796-792BFC605F48", "versionEndExcluding": "5.10.52", "versionStartIncluding": "5.10.37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D4778B3-2521-408B-900C-9048E76A0D8C", "versionEndExcluding": "5.12", "versionStartIncluding": "5.11.21"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C328D6C-1E12-493E-BECF-66BFBE7FBA73", "versionEndExcluding": "5.12.19", "versionStartIncluding": "5.12.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F93FA3CC-0C79-410B-A7D7-245C2AA0723A", "versionEndExcluding": "5.13.4", "versionStartIncluding": "5.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71268287-21A8-4488-AA4F-23C473153131"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}