In the Linux kernel, the following vulnerability has been resolved:
net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).
If some error happens in emac_tx_fill_tpd(), the skb will be freed via
dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().
But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).
As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,
thus my patch assigns skb->len to 'len' before the possible free and
use 'len' instead of skb->len later.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Redhat |
|
No data.
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | |||
| kernel-rt-0:4.18.0-553.5.1.rt7.346.el8_10 | cpe:/a:redhat:enterprise_linux:8::nfv | RHSA-2024:3627 | 2024-06-05T00:00:00Z |
| kernel-0:4.18.0-553.5.1.el8_10 | cpe:/o:redhat:enterprise_linux:8 | RHSA-2024:3618 | 2024-06-05T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Extended Update Support | |||
| kernel-0:4.18.0-372.105.1.el8_6 | cpe:/o:redhat:rhel_eus:8.6 | RHSA-2024:3462 | 2024-05-29T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Extended Update Support | |||
| kernel-0:4.18.0-477.58.1.el8_8 | cpe:/o:redhat:rhel_eus:8.8 | RHSA-2024:3810 | 2024-06-11T00:00:00Z |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 | |||
| kernel-0:4.18.0-372.105.1.el8_6 | cpe:/o:redhat:rhev_hypervisor:4.4::el8 | RHSA-2024:3462 | 2024-05-29T00:00:00Z |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2024-02-28T08:13:30.905Z
Updated: 2024-08-04T05:24:39.713Z
Reserved: 2024-02-27T18:42:55.953Z
Link: CVE-2021-47013
Vulnrichment
Updated: 2024-08-04T05:24:39.713Z
NVD
Status : Awaiting Analysis
Published: 2024-02-28T09:15:38.800
Modified: 2024-02-28T14:06:45.783
Link: CVE-2021-47013
Redhat