CVE-2021-47281 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: Fix race of snd_seq_timer_open() The timer instance per queue is exclusive, and snd_seq_timer_open() should have managed the concurrent accesses. It looks as if it's checking the already existing timer instance at the beginning, but it's not right, because there is no protection, hence any later concurrent call of snd_seq_timer_open() may override the timer instance easily. This may result in UAF, as the leftover timer instance can keep running while the queue itself gets closed, as spotted by syzkaller recently. For avoiding the race, add a proper check at the assignment of tmr->timeri again, and return -EBUSY if it's been already registered.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031
https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273
https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba
https://lore.kernel.org/linux-cve-announce/2024052153-CVE-2021-47281-d193@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2021-47281
https://www.cve.org/CVERecord?id=CVE-2021-47281

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-21T14:20:07.499Z

Updated: 2024-11-04T12:02:54.252Z

Reserved: 2024-05-21T13:27:52.128Z

Link: CVE-2021-47281

Vulnrichment

Updated: 2024-08-04T05:32:08.027Z

NVD

Status : Awaiting Analysis

Published: 2024-05-21T15:15:16.353

Modified: 2024-05-21T16:54:26.047

Link: CVE-2021-47281

Redhat

Severity : Moderate

Publid Date: 2024-05-21T00:00:00Z

Links: CVE-2021-47281 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47281", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T13:27:52.128Z", "datePublished": "2024-05-21T14:20:07.499Z", "dateUpdated": "2024-11-04T12:02:54.252Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:02:54.252Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: Fix race of snd_seq_timer_open()\n\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses. It looks as if it's\nchecking the already existing timer instance at the beginning, but\nit's not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily. This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\n\nFor avoiding the race, add a proper check at the assignment of\ntmr->timeri again, and return -EBUSY if it's been already registered."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/core/seq/seq_timer.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "bd7d88b0874f", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "536a7646c00a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "83e197a8414c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/core/seq/seq_timer.c"], "versions": [{"version": "5.10.44", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.11", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba"}, {"url": "https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031"}, {"url": "https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273"}], "title": "ALSA: seq: Fix race of snd_seq_timer_open()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T21:20:28.570330Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:56.494Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:08.027Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:08.027Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T21:20:28.570330Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T21:20:32.592Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "ALSA: seq: Fix race of snd_seq_timer_open()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "bd7d88b0874f", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "536a7646c00a", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "83e197a8414c", "versionType": "git"}], "programFiles": ["sound/core/seq/seq_timer.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.10.44", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.12.11", "versionType": "custom", "lessThanOrEqual": "5.12.*"}, {"status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["sound/core/seq/seq_timer.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba"}, {"url": "https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031"}, {"url": "https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: Fix race of snd_seq_timer_open()\n\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses. It looks as if it's\nchecking the already existing timer instance at the beginning, but\nit's not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily. This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\n\nFor avoiding the race, add a proper check at the assignment of\ntmr->timeri again, and return -EBUSY if it's been already registered."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:05:13.106Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47281", "state": "PUBLISHED", "dateUpdated": "2024-08-04T05:32:08.027Z", "dateReserved": "2024-05-21T13:27:52.128Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T14:20:07.499Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: Fix race of snd_seq_timer_open()\n\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses. It looks as if it's\nchecking the already existing timer instance at the beginning, but\nit's not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily. This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\n\nFor avoiding the race, add a proper check at the assignment of\ntmr->timeri again, and return -EBUSY if it's been already registered."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: ALSA: seq: Fix race of snd_seq_timer_open(). La instancia del temporizador por cola es exclusiva, y snd_seq_timer_open() deber\u00eda haber gestionado los accesos concurrentes. Parece como si estuviera verificando la instancia del temporizador ya existente al principio, pero no es correcto, porque no hay protecci\u00f3n, por lo tanto, cualquier llamada simult\u00e1nea posterior a snd_seq_timer_open() puede anular la instancia del temporizador f\u00e1cilmente. Esto puede resultar en UAF, ya que la instancia del temporizador sobrante puede seguir ejecut\u00e1ndose mientras la cola se cierra, como descubri\u00f3 syzkaller recientemente. Para evitar la ejecuci\u00f3n, agregue una verificaci\u00f3n adecuada en la asignaci\u00f3n de tmr->timeri nuevamente y devuelva -EBUSY si ya se registr\u00f3."}], "id": "CVE-2021-47281", "lastModified": "2024-05-21T16:54:26.047", "metrics": {}, "published": "2024-05-21T15:15:16.353", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ALSA: seq: Fix race of snd_seq_timer_open()", "id": "2282516", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282516"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nALSA: seq: Fix race of snd_seq_timer_open()\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses. It looks as if it's\nchecking the already existing timer instance at the beginning, but\nit's not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily. This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\nFor avoiding the race, add a proper check at the assignment of\ntmr->timeri again, and return -EBUSY if it's been already registered.", "A vulnerability was found in the Linux kernel's ALSA sequencer, where the snd_seq_timer_open() function fails to properly manage concurrent access to timer instances, which could allow multiple calls to override the timer, leading to a potential use-after-free issue if a timer continues running after its associated queue is closed."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2021-47281", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47281\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47281\nhttps://lore.kernel.org/linux-cve-announce/2024052153-CVE-2021-47281-d193@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.10.44, kernel 5.12.11, kernel 5.13"}