{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47209", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-04-10T18:59:19.526Z", "datePublished": "2024-04-10T19:01:51.363Z", "dateUpdated": "2024-11-04T12:01:33.461Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:01:33.461Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Prevent dead task groups from regaining cfs_rq's\n\nKevin is reporting crashes which point to a use-after-free of a cfs_rq\nin update_blocked_averages(). Initial debugging revealed that we've\nlive cfs_rq's (on_list=1) in an about to be kfree()'d task group in\nfree_fair_sched_group(). However, it was unclear how that can happen.\n\nHis kernel config happened to lead to a layout of struct sched_entity\nthat put the 'my_q' member directly into the middle of the object\nwhich makes it incidentally overlap with SLUB's freelist pointer.\nThat, in combination with SLAB_FREELIST_HARDENED's freelist pointer\nmangling, leads to a reliable access violation in form of a #GP which\nmade the UAF fail fast.\n\nMichal seems to have run into the same issue[1]. He already correctly\ndiagnosed that commit a7b359fc6a37 (\"sched/fair: Correctly insert\ncfs_rq's to list on unthrottle\") is causing the preconditions for the\nUAF to happen by re-adding cfs_rq's also to task groups that have no\nmore running tasks, i.e. also to dead ones. His analysis, however,\nmisses the real root cause and it cannot be seen from the crash\nbacktrace only, as the real offender is tg_unthrottle_up() getting\ncalled via sched_cfs_period_timer() via the timer interrupt at an\ninconvenient time.\n\nWhen unregister_fair_sched_group() unlinks all cfs_rq's from the dying\ntask group, it doesn't protect itself from getting interrupted. If the\ntimer interrupt triggers while we iterate over all CPUs or after\nunregister_fair_sched_group() has finished but prior to unlinking the\ntask group, sched_cfs_period_timer() will execute and walk the list of\ntask groups, trying to unthrottle cfs_rq's, i.e. re-add them to the\ndying task group. These will later -- in free_fair_sched_group() -- be\nkfree()'ed while still being linked, leading to the fireworks Kevin\nand Michal are seeing.\n\nTo fix this race, ensure the dying task group gets unlinked first.\nHowever, simply switching the order of unregistering and unlinking the\ntask group isn't sufficient, as concurrent RCU walkers might still see\nit, as can be seen below:\n\n CPU1: CPU2:\n : timer IRQ:\n : do_sched_cfs_period_timer():\n : :\n : distribute_cfs_runtime():\n : rcu_read_lock();\n : :\n : unthrottle_cfs_rq():\n sched_offline_group(): :\n : walk_tg_tree_from(\u2026,tg_unthrottle_up,\u2026):\n list_del_rcu(&tg->list); :\n (1) : list_for_each_entry_rcu(child, &parent->children, siblings)\n : :\n (2) list_del_rcu(&tg->siblings); :\n : tg_unthrottle_up():\n unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)];\n : :\n list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); :\n : :\n : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running)\n (3) : list_add_leaf_cfs_rq(cfs_rq);\n : :\n : :\n : :\n : :\n : \n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/sched/autogroup.c", "kernel/sched/core.c", "kernel/sched/fair.c", "kernel/sched/rt.c", "kernel/sched/sched.h"], "versions": [{"version": "a7b359fc6a37", "lessThan": "512e21c150c1", "status": "affected", "versionType": "git"}, {"version": "a7b359fc6a37", "lessThan": "b027789e5e50", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/sched/autogroup.c", "kernel/sched/core.c", "kernel/sched/fair.c", "kernel/sched/rt.c", "kernel/sched/sched.h"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.5", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/512e21c150c1c3ee298852660f3a796e267e62ec"}, {"url": "https://git.kernel.org/stable/c/b027789e5e50494c2325cc70c8642e7fd6059479"}], "title": "sched/fair: Prevent dead task groups from regaining cfs_rq's", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47209", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-10T19:45:03.652350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:26.586Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.493Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/512e21c150c1c3ee298852660f3a796e267e62ec", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b027789e5e50494c2325cc70c8642e7fd6059479", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/512e21c150c1c3ee298852660f3a796e267e62ec", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b027789e5e50494c2325cc70c8642e7fd6059479", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.493Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47209", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-10T19:45:03.652350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:23.110Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "sched/fair: Prevent dead task groups from regaining cfs_rq's", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "a7b359fc6a37", "lessThan": "512e21c150c1", "versionType": "git"}, {"status": "affected", "version": "a7b359fc6a37", "lessThan": "b027789e5e50", "versionType": "git"}], "programFiles": ["kernel/sched/autogroup.c", "kernel/sched/core.c", "kernel/sched/fair.c", "kernel/sched/rt.c", "kernel/sched/sched.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.13"}, {"status": "unaffected", "version": "0", "lessThan": "5.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.15.5", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16", "versionType": "semver", "lessThanOrEqual": "*"}], "programFiles": ["kernel/sched/autogroup.c", "kernel/sched/core.c", "kernel/sched/fair.c", "kernel/sched/rt.c", "kernel/sched/sched.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/512e21c150c1c3ee298852660f3a796e267e62ec"}, {"url": "https://git.kernel.org/stable/c/b027789e5e50494c2325cc70c8642e7fd6059479"}], "x_generator": {"engine": "bippy-c8e10e5f6187"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Prevent dead task groups from regaining cfs_rq's\n\nKevin is reporting crashes which point to a use-after-free of a cfs_rq\nin update_blocked_averages(). Initial debugging revealed that we've\nlive cfs_rq's (on_list=1) in an about to be kfree()'d task group in\nfree_fair_sched_group(). However, it was unclear how that can happen.\n\nHis kernel config happened to lead to a layout of struct sched_entity\nthat put the 'my_q' member directly into the middle of the object\nwhich makes it incidentally overlap with SLUB's freelist pointer.\nThat, in combination with SLAB_FREELIST_HARDENED's freelist pointer\nmangling, leads to a reliable access violation in form of a #GP which\nmade the UAF fail fast.\n\nMichal seems to have run into the same issue[1]. He already correctly\ndiagnosed that commit a7b359fc6a37 (\"sched/fair: Correctly insert\ncfs_rq's to list on unthrottle\") is causing the preconditions for the\nUAF to happen by re-adding cfs_rq's also to task groups that have no\nmore running tasks, i.e. also to dead ones. His analysis, however,\nmisses the real root cause and it cannot be seen from the crash\nbacktrace only, as the real offender is tg_unthrottle_up() getting\ncalled via sched_cfs_period_timer() via the timer interrupt at an\ninconvenient time.\n\nWhen unregister_fair_sched_group() unlinks all cfs_rq's from the dying\ntask group, it doesn't protect itself from getting interrupted. If the\ntimer interrupt triggers while we iterate over all CPUs or after\nunregister_fair_sched_group() has finished but prior to unlinking the\ntask group, sched_cfs_period_timer() will execute and walk the list of\ntask groups, trying to unthrottle cfs_rq's, i.e. re-add them to the\ndying task group. These will later -- in free_fair_sched_group() -- be\nkfree()'ed while still being linked, leading to the fireworks Kevin\nand Michal are seeing.\n\nTo fix this race, ensure the dying task group gets unlinked first.\nHowever, simply switching the order of unregistering and unlinking the\ntask group isn't sufficient, as concurrent RCU walkers might still see\nit, as can be seen below:\n\n CPU1: CPU2:\n : timer IRQ:\n : do_sched_cfs_period_timer():\n : :\n : distribute_cfs_runtime():\n : rcu_read_lock();\n : :\n : unthrottle_cfs_rq():\n sched_offline_group(): :\n : walk_tg_tree_from(\u2026,tg_unthrottle_up,\u2026):\n list_del_rcu(&tg->list); :\n (1) : list_for_each_entry_rcu(child, &parent->children, siblings)\n : :\n (2) list_del_rcu(&tg->siblings); :\n : tg_unthrottle_up():\n unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)];\n : :\n list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); :\n : :\n : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running)\n (3) : list_add_leaf_cfs_rq(cfs_rq);\n : :\n : :\n : :\n : :\n : \n---truncated---"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T11:36:51.038Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47209", "state": "PUBLISHED", "dateUpdated": "2024-11-04T11:36:51.038Z", "dateReserved": "2024-04-10T18:59:19.526Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-10T19:01:51.363Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Prevent dead task groups from regaining cfs_rq's\n\nKevin is reporting crashes which point to a use-after-free of a cfs_rq\nin update_blocked_averages(). Initial debugging revealed that we've\nlive cfs_rq's (on_list=1) in an about to be kfree()'d task group in\nfree_fair_sched_group(). However, it was unclear how that can happen.\n\nHis kernel config happened to lead to a layout of struct sched_entity\nthat put the 'my_q' member directly into the middle of the object\nwhich makes it incidentally overlap with SLUB's freelist pointer.\nThat, in combination with SLAB_FREELIST_HARDENED's freelist pointer\nmangling, leads to a reliable access violation in form of a #GP which\nmade the UAF fail fast.\n\nMichal seems to have run into the same issue[1]. He already correctly\ndiagnosed that commit a7b359fc6a37 (\"sched/fair: Correctly insert\ncfs_rq's to list on unthrottle\") is causing the preconditions for the\nUAF to happen by re-adding cfs_rq's also to task groups that have no\nmore running tasks, i.e. also to dead ones. His analysis, however,\nmisses the real root cause and it cannot be seen from the crash\nbacktrace only, as the real offender is tg_unthrottle_up() getting\ncalled via sched_cfs_period_timer() via the timer interrupt at an\ninconvenient time.\n\nWhen unregister_fair_sched_group() unlinks all cfs_rq's from the dying\ntask group, it doesn't protect itself from getting interrupted. If the\ntimer interrupt triggers while we iterate over all CPUs or after\nunregister_fair_sched_group() has finished but prior to unlinking the\ntask group, sched_cfs_period_timer() will execute and walk the list of\ntask groups, trying to unthrottle cfs_rq's, i.e. re-add them to the\ndying task group. These will later -- in free_fair_sched_group() -- be\nkfree()'ed while still being linked, leading to the fireworks Kevin\nand Michal are seeing.\n\nTo fix this race, ensure the dying task group gets unlinked first.\nHowever, simply switching the order of unregistering and unlinking the\ntask group isn't sufficient, as concurrent RCU walkers might still see\nit, as can be seen below:\n\n CPU1: CPU2:\n : timer IRQ:\n : do_sched_cfs_period_timer():\n : :\n : distribute_cfs_runtime():\n : rcu_read_lock();\n : :\n : unthrottle_cfs_rq():\n sched_offline_group(): :\n : walk_tg_tree_from(\u2026,tg_unthrottle_up,\u2026):\n list_del_rcu(&tg->list); :\n (1) : list_for_each_entry_rcu(child, &parent->children, siblings)\n : :\n (2) list_del_rcu(&tg->siblings); :\n : tg_unthrottle_up():\n unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)];\n : :\n list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); :\n : :\n : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running)\n (3) : list_add_leaf_cfs_rq(cfs_rq);\n : :\n : :\n : :\n : :\n : \n---truncated---"}], "id": "CVE-2021-47209", "lastModified": "2024-04-10T19:49:51.183", "metrics": {}, "published": "2024-04-10T19:15:48.447", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/512e21c150c1c3ee298852660f3a796e267e62ec"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b027789e5e50494c2325cc70c8642e7fd6059479"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: sched/fair: Prevent dead task groups from regaining cfs_rq's", "id": "2274577", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274577"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nsched/fair: Prevent dead task groups from regaining cfs_rq's\nKevin is reporting crashes which point to a use-after-free of a cfs_rq\nin update_blocked_averages(). Initial debugging revealed that we've\nlive cfs_rq's (on_list=1) in an about to be kfree()'d task group in\nfree_fair_sched_group(). However, it was unclear how that can happen.\nHis kernel config happened to lead to a layout of struct sched_entity\nthat put the 'my_q' member directly into the middle of the object\nwhich makes it incidentally overlap with SLUB's freelist pointer.\nThat, in combination with SLAB_FREELIST_HARDENED's freelist pointer\nmangling, leads to a reliable access violation in form of a #GP which\nmade the UAF fail fast.\nMichal seems to have run into the same issue[1]. He already correctly\ndiagnosed that commit a7b359fc6a37 (\"sched/fair: Correctly insert\ncfs_rq's to list on unthrottle\") is causing the preconditions for the\nUAF to happen by re-adding cfs_rq's also to task groups that have no\nmore running tasks, i.e. also to dead ones. His analysis, however,\nmisses the real root cause and it cannot be seen from the crash\nbacktrace only, as the real offender is tg_unthrottle_up() getting\ncalled via sched_cfs_period_timer() via the timer interrupt at an\ninconvenient time.\nWhen unregister_fair_sched_group() unlinks all cfs_rq's from the dying\ntask group, it doesn't protect itself from getting interrupted. If the\ntimer interrupt triggers while we iterate over all CPUs or after\nunregister_fair_sched_group() has finished but prior to unlinking the\ntask group, sched_cfs_period_timer() will execute and walk the list of\ntask groups, trying to unthrottle cfs_rq's, i.e. re-add them to the\ndying task group. These will later -- in free_fair_sched_group() -- be\nkfree()'ed while still being linked, leading to the fireworks Kevin\nand Michal are seeing.\nTo fix this race, ensure the dying task group gets unlinked first.\nHowever, simply switching the order of unregistering and unlinking the\ntask group isn't sufficient, as concurrent RCU walkers might still see\nit, as can be seen below:\nCPU1: CPU2:\n: timer IRQ:\n: do_sched_cfs_period_timer():\n: :\n: distribute_cfs_runtime():\n: rcu_read_lock();\n: :\n: unthrottle_cfs_rq():\nsched_offline_group(): :\n: walk_tg_tree_from(\u2026,tg_unthrottle_up,\u2026):\nlist_del_rcu(&tg->list); :\n(1) : list_for_each_entry_rcu(child, &parent->children, siblings)\n: :\n(2) list_del_rcu(&tg->siblings); :\n: tg_unthrottle_up():\nunregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)];\n: :\nlist_del_leaf_cfs_rq(tg->cfs_rq[cpu]); :\n: :\n: if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running)\n(3) : list_add_leaf_cfs_rq(cfs_rq);\n: :\n: :\n: :\n: :\n: \n---truncated---"], "name": "CVE-2021-47209", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47209\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47209\nhttps://lore.kernel.org/linux-cve-announce/2024041004-CVE-2021-47209-1cf6@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.15.5, kernel 5.16"}