{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhamradio: improve the incomplete fix to avoid NPD\n\nThe previous commit 3e0588c291d6 (\"hamradio: defer ax25 kfree after\nunregister_netdev\") reorder the kfree operations and unregister_netdev\noperation to prevent UAF.\n\nThis commit improves the previous one by also deferring the nullify of\nthe ax->tty pointer. Otherwise, a NULL pointer dereference bug occurs.\nPartial of the stack trace is shown below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000538\nRIP: 0010:ax_xmit+0x1f9/0x400\n...\nCall Trace:\n dev_hard_start_xmit+0xec/0x320\n sch_direct_xmit+0xea/0x240\n __qdisc_run+0x166/0x5c0\n __dev_queue_xmit+0x2c7/0xaf0\n ax25_std_establish_data_link+0x59/0x60\n ax25_connect+0x3a0/0x500\n ? security_socket_connect+0x2b/0x40\n __sys_connect+0x96/0xc0\n ? __hrtimer_init+0xc0/0xc0\n ? common_nsleep+0x2e/0x50\n ? switch_fpu_return+0x139/0x1a0\n __x64_sys_connect+0x11/0x20\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThe crash point is shown as below\n\nstatic void ax_encaps(...) {\n ...\n set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags); // ax->tty = NULL!\n ...\n}\n\nBy placing the nullify action after the unregister_netdev, the ax->tty\npointer won't be assigned as NULL net_device framework layer is well\nsynchronized." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "versions": [ { "version": "1da177e4c3f4", "lessThan": "371a874ea06f", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "83ba6ec97c74", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "a7b0ae2cc486", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "b68f41c6320b", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "a5c6a13e9056", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "7dd52af1eb57", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "03d00f7f1815", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "b2f37aead1b8", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "versions": [ { "version": "4.4.297", "lessThanOrEqual": "4.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.9.295", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.14.260", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.19.223", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.4.169", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.89", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.12", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/371a874ea06f147d6ca30be43dad33683965eba6" }, { "url": "https://git.kernel.org/stable/c/83ba6ec97c74fb1a60f7779a26b6a94b28741d8a" }, { "url": "https://git.kernel.org/stable/c/a7b0ae2cc486fcb601f9f9d87d98138cc7b7f7f9" }, { "url": "https://git.kernel.org/stable/c/b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59" }, { "url": "https://git.kernel.org/stable/c/a5c6a13e9056d87805ba3042c208fbd4164ad22b" }, { "url": "https://git.kernel.org/stable/c/7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca" }, { "url": "https://git.kernel.org/stable/c/03d00f7f1815ec00dab5035851b3de83afd054a8" }, { "url": "https://git.kernel.org/stable/c/b2f37aead1b82a770c48b5d583f35ec22aabb61e" } ], "title": "hamradio: improve the incomplete fix to avoid NPD", "x_generator": { "engine": "bippy-4986f5686161" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2021-47085", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }