CVE-2021-47012 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix a use after free in siw_alloc_mr Our code analyzer reported a UAF. In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr). My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {} section, to avoid the uaf.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63
https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4
https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4
https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c
https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155
https://lore.kernel.org/linux-cve-announce/2024022831-CVE-2021-47012-73c5@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2021-47012
https://www.cve.org/CVERecord?id=CVE-2021-47012

History

Mon, 04 Nov 2024 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-02-28T08:13:30.284Z

Updated: 2024-11-04T11:57:42.023Z

Reserved: 2024-02-27T18:42:55.953Z

Link: CVE-2021-47012

Vulnrichment

Updated: 2024-08-04T05:24:39.841Z

NVD

Status : Awaiting Analysis

Published: 2024-02-28T09:15:38.753

Modified: 2024-02-28T14:06:45.783

Link: CVE-2021-47012

Redhat

Severity : Moderate

Publid Date: 2024-02-28T00:00:00Z

Links: CVE-2021-47012 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47012", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-27T18:42:55.953Z", "datePublished": "2024-02-28T08:13:30.284Z", "dateUpdated": "2024-11-04T11:57:42.023Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T11:57:42.023Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix a use after free in siw_alloc_mr\n\nOur code analyzer reported a UAF.\n\nIn siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of\nsiw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via\nkfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a\nfreed object. After, the execution continue up to the err_out branch of\nsiw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).\n\nMy patch moves \"mr->mem = mem\" behind the if (xa_alloc_cyclic(..)<0) {}\nsection, to avoid the uaf."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/sw/siw/siw_mem.c"], "versions": [{"version": "2251334dcac9", "lessThan": "30b9e92d0b5e", "status": "affected", "versionType": "git"}, {"version": "2251334dcac9", "lessThan": "608a4b90ece0", "status": "affected", "versionType": "git"}, {"version": "2251334dcac9", "lessThan": "3e22b88e02c1", "status": "affected", "versionType": "git"}, {"version": "2251334dcac9", "lessThan": "ad9ce7188432", "status": "affected", "versionType": "git"}, {"version": "2251334dcac9", "lessThan": "3093ee182f01", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/sw/siw/siw_mem.c"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.119", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.37", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.11.21", "lessThanOrEqual": "5.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.4", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4"}, {"url": "https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c"}, {"url": "https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4"}, {"url": "https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155"}, {"url": "https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63"}], "title": "RDMA/siw: Fix a use after free in siw_alloc_mr", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47012", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-28T20:34:17.324799Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:27.028Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:39.841Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:39.841Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47012", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-28T20:34:17.324799Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:13.831Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "RDMA/siw: Fix a use after free in siw_alloc_mr", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2251334dcac9", "lessThan": "30b9e92d0b5e", "versionType": "git"}, {"status": "affected", "version": "2251334dcac9", "lessThan": "608a4b90ece0", "versionType": "git"}, {"status": "affected", "version": "2251334dcac9", "lessThan": "3e22b88e02c1", "versionType": "git"}, {"status": "affected", "version": "2251334dcac9", "lessThan": "ad9ce7188432", "versionType": "git"}, {"status": "affected", "version": "2251334dcac9", "lessThan": "3093ee182f01", "versionType": "git"}], "programFiles": ["drivers/infiniband/sw/siw/siw_mem.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.3"}, {"status": "unaffected", "version": "0", "lessThan": "5.3", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.119", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.37", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.11.21", "versionType": "semver", "lessThanOrEqual": "5.11.*"}, {"status": "unaffected", "version": "5.12.4", "versionType": "semver", "lessThanOrEqual": "5.12.*"}, {"status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/infiniband/sw/siw/siw_mem.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4"}, {"url": "https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c"}, {"url": "https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4"}, {"url": "https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155"}, {"url": "https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix a use after free in siw_alloc_mr\n\nOur code analyzer reported a UAF.\n\nIn siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of\nsiw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via\nkfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a\nfreed object. After, the execution continue up to the err_out branch of\nsiw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).\n\nMy patch moves \"mr->mem = mem\" behind the if (xa_alloc_cyclic(..)<0) {}\nsection, to avoid the uaf."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T11:57:42.023Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47012", "state": "PUBLISHED", "dateUpdated": "2024-11-04T11:57:42.023Z", "dateReserved": "2024-02-27T18:42:55.953Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-28T08:13:30.284Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix a use after free in siw_alloc_mr\n\nOur code analyzer reported a UAF.\n\nIn siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of\nsiw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via\nkfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a\nfreed object. After, the execution continue up to the err_out branch of\nsiw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).\n\nMy patch moves \"mr->mem = mem\" behind the if (xa_alloc_cyclic(..)<0) {}\nsection, to avoid the uaf."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: RDMA/siw: Corrige un use after free en siw_alloc_mr Nuestro analizador de c\u00f3digo inform\u00f3 un UAF. En siw_alloc_mr(), llama a siw_mr_add_mem(mr,..). En la implementaci\u00f3n de siw_mr_add_mem(), mem se asigna a mr->mem y luego mem se libera mediante kfree(mem) si xa_alloc_ciclic() falla. Aqu\u00ed, mr->mem todav\u00eda apunta a un objeto liberado. Despu\u00e9s, la ejecuci\u00f3n contin\u00faa hasta la rama err_out de siw_alloc_mr, y el mr->mem liberado se usa en siw_mr_drop_mem(mr). Mi parche mueve \"mr->mem = mem\" detr\u00e1s de la secci\u00f3n if (xa_alloc_ciclic(..)<0) {}, para evitar el uaf."}], "id": "CVE-2021-47012", "lastModified": "2024-02-28T14:06:45.783", "metrics": {}, "published": "2024-02-28T09:15:38.753", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: RDMA/siw: Fix a use after free in siw_alloc_mr", "id": "2266844", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266844"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nRDMA/siw: Fix a use after free in siw_alloc_mr\nOur code analyzer reported a UAF.\nIn siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of\nsiw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via\nkfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a\nfreed object. After, the execution continue up to the err_out branch of\nsiw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).\nMy patch moves \"mr->mem = mem\" behind the if (xa_alloc_cyclic(..)<0) {}\nsection, to avoid the uaf."], "name": "CVE-2021-47012", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47012\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47012\nhttps://lore.kernel.org/linux-cve-announce/2024022831-CVE-2021-47012-73c5@gregkh/T/#u"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.4.119, kernel 5.10.37, kernel 5.11.21, kernel 5.12.4, kernel 5.13"}