[SRU][F][PATCH 0/2] CVE-2021-47101
Koichiro Den
koichiro.den at canonical.com
Fri Oct 25 13:27:13 UTC 2024
[Impact]
pid: take a reference when initializing `cad_pid`
During boot, kernel_init_freeable() initializes `cad_pid` to the init
task's struct pid. Later on, we may change `cad_pid` via a sysctl, and
when this happens proc_do_cad_pid() will increment the refcount on the
new pid via get_pid(), and will decrement the refcount on the old pid
via put_pid(). As we never called get_pid() when we initialized
`cad_pid`, we decrement a reference we never incremented, can therefore
free the init task's struct pid early. As there can be dangling
references to the struct pid, we can later encounter a use-after-free
(e.g. when delivering signals).
This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to
have been around since the conversion of `cad_pid` to struct pid in
commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the
pre-KASAN stone age of v2.6.19.
Fix this by getting a reference to the init task's struct pid when we
assign it to `cad_pid`.
[Fix]
Noble: not affected
Jammy: fixed via stable
Focal: Clean cherry-pick following the backport of a prerequisite commit
Bionic: fix sent to esm ML
Xenial: not affected
Trusty: not affected
[Test Case]
Compile and boot tested
[Where problems could occur]
This backport affects those who use ASIX USB Ethernet devices, an issue
with it would be visible to the user via unpredicted system behavior or
a system crash especially if some sort of regression will be found for
the prerequisite fix commit in the future.
Pavel Skripkin (2):
net: asix: fix uninit value bugs
asix: fix uninit-value in asix_mdio_read()
drivers/net/usb/asix_common.c | 71 +++++++++++++++--------------------
1 file changed, 31 insertions(+), 40 deletions(-)
--
2.43.0
More information about the kernel-team
mailing list