CVE-2021-47341 - OpenCVE

Link	Providers
https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e
https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204
https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066
https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061
https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a
https://lore.kernel.org/linux-cve-announce/2024052137-CVE-2021-47341-f4e9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2021-47341
https://www.cve.org/CVERecord?id=CVE-2021-47341

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47341", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T14:28:16.979Z", "datePublished": "2024-05-21T14:35:49.001Z", "dateUpdated": "2024-11-04T12:04:02.362Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:04:02.362Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio\n\nBUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\nRead of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269\n\nCPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132\n show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x110/0x164 lib/dump_stack.c:118\n print_address_description+0x78/0x5c8 mm/kasan/report.c:385\n __kasan_report mm/kasan/report.c:545 [inline]\n kasan_report+0x148/0x1e4 mm/kasan/report.c:562\n check_memory_region_inline mm/kasan/generic.c:183 [inline]\n __asan_load8+0xb4/0xbc mm/kasan/generic.c:252\n kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nAllocated by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475\n kmem_cache_alloc_trace include/linux/slab.h:450 [inline]\n kmalloc include/linux/slab.h:552 [inline]\n kzalloc include/linux/slab.h:664 [inline]\n kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146\n kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nFreed by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track+0x38/0x6c mm/kasan/common.c:56\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355\n __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422\n kasan_slab_free+0x10/0x1c mm/kasan/common.c:431\n slab_free_hook mm/slub.c:1544 [inline]\n slab_free_freelist_hook mm/slub.c:1577 [inline]\n slab_free mm/slub.c:3142 [inline]\n kfree+0x104/0x38c mm/slub.c:4124\n coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102\n kvm_iodevice_destructor include/kvm/iodev.h:61 [inline]\n kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374\n kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/sys\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["virt/kvm/coalesced_mmio.c"], "versions": [{"version": "7d1bc32d6477", "lessThan": "f2ff9d03432f", "status": "affected", "versionType": "git"}, {"version": "2a20592baff5", "lessThan": "679837dc0aba", "status": "affected", "versionType": "git"}, {"version": "50cbad42bfea", "lessThan": "8d7c539316d6", "status": "affected", "versionType": "git"}, {"version": "5d3c4c79384a", "lessThan": "069d44a24c0f", "status": "affected", "versionType": "git"}, {"version": "5d3c4c79384a", "lessThan": "23fa2e46a555", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["virt/kvm/coalesced_mmio.c"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.134", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.52", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.19", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13.4", "lessThanOrEqual": "5.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a"}, {"url": "https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066"}, {"url": "https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061"}, {"url": "https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e"}, {"url": "https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204"}], "title": "KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:08.601Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:38:50.302115Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:49.116Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:08.601Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:38:50.302115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.923Z"}}], "cna": {"title": "KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "7d1bc32d6477", "lessThan": "f2ff9d03432f", "versionType": "git"}, {"status": "affected", "version": "2a20592baff5", "lessThan": "679837dc0aba", "versionType": "git"}, {"status": "affected", "version": "50cbad42bfea", "lessThan": "8d7c539316d6", "versionType": "git"}, {"status": "affected", "version": "5d3c4c79384a", "lessThan": "069d44a24c0f", "versionType": "git"}, {"status": "affected", "version": "5d3c4c79384a", "lessThan": "23fa2e46a555", "versionType": "git"}], "programFiles": ["virt/kvm/coalesced_mmio.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.13"}, {"status": "unaffected", "version": "0", "lessThan": "5.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.134", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.52", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.12.19", "versionType": "semver", "lessThanOrEqual": "5.12.*"}, {"status": "unaffected", "version": "5.13.4", "versionType": "semver", "lessThanOrEqual": "5.13.*"}, {"status": "unaffected", "version": "5.14", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["virt/kvm/coalesced_mmio.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a"}, {"url": "https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066"}, {"url": "https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061"}, {"url": "https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e"}, {"url": "https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio\n\nBUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\nRead of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269\n\nCPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132\n show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x110/0x164 lib/dump_stack.c:118\n print_address_description+0x78/0x5c8 mm/kasan/report.c:385\n __kasan_report mm/kasan/report.c:545 [inline]\n kasan_report+0x148/0x1e4 mm/kasan/report.c:562\n check_memory_region_inline mm/kasan/generic.c:183 [inline]\n __asan_load8+0xb4/0xbc mm/kasan/generic.c:252\n kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nAllocated by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475\n kmem_cache_alloc_trace include/linux/slab.h:450 [inline]\n kmalloc include/linux/slab.h:552 [inline]\n kzalloc include/linux/slab.h:664 [inline]\n kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146\n kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nFreed by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track+0x38/0x6c mm/kasan/common.c:56\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355\n __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422\n kasan_slab_free+0x10/0x1c mm/kasan/common.c:431\n slab_free_hook mm/slub.c:1544 [inline]\n slab_free_freelist_hook mm/slub.c:1577 [inline]\n slab_free mm/slub.c:3142 [inline]\n kfree+0x104/0x38c mm/slub.c:4124\n coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102\n kvm_iodevice_destructor include/kvm/iodev.h:61 [inline]\n kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374\n kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/sys\n---truncated---"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:04:02.362Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47341", "state": "PUBLISHED", "dateUpdated": "2024-11-04T12:04:02.362Z", "dateReserved": "2024-05-21T14:28:16.979Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T14:35:49.001Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio\n\nBUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\nRead of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269\n\nCPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132\n show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x110/0x164 lib/dump_stack.c:118\n print_address_description+0x78/0x5c8 mm/kasan/report.c:385\n __kasan_report mm/kasan/report.c:545 [inline]\n kasan_report+0x148/0x1e4 mm/kasan/report.c:562\n check_memory_region_inline mm/kasan/generic.c:183 [inline]\n __asan_load8+0xb4/0xbc mm/kasan/generic.c:252\n kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nAllocated by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475\n kmem_cache_alloc_trace include/linux/slab.h:450 [inline]\n kmalloc include/linux/slab.h:552 [inline]\n kzalloc include/linux/slab.h:664 [inline]\n kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146\n kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nFreed by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track+0x38/0x6c mm/kasan/common.c:56\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355\n __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422\n kasan_slab_free+0x10/0x1c mm/kasan/common.c:431\n slab_free_hook mm/slub.c:1544 [inline]\n slab_free_freelist_hook mm/slub.c:1577 [inline]\n slab_free mm/slub.c:3142 [inline]\n kfree+0x104/0x38c mm/slub.c:4124\n coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102\n kvm_iodevice_destructor include/kvm/iodev.h:61 [inline]\n kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374\n kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/sys\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: KVM: mmio: Arreglar use-after-free Leer en kvm_vm_ioctl_unregister_coalesced_mmio BUG: KASAN: use-after-free en kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../. ./../virt/kvm/coalesced_mmio.c:183 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff0000c03a2500 por tarea syz-executor083/4269 CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 Nombre de hardware: linux ,dummy-virt (DT) Seguimiento de llamadas: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [en l\u00ednea] dump_stack+0x110/0x164 lib/dump_stack.c:118 print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [en l\u00ednea] kasan_report+0x148/0x1e4 mm/kasan /report.c:562 check_memory_region_inline mm/kasan/generic.c:183 [en l\u00ednea] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../ ../virt/kvm/coalesced_mmio.c:183 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [ en l\u00ednea] __do_sys_ioctl fs/ioctl.c:753 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:739 [en l\u00ednea] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [en l\u00ednea ] invoke_syscall arch/arm64/kernel/syscall.c:48 [en l\u00ednea] el0_svc_common arch/arm64/kernel/syscall.c:158 [en l\u00ednea] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c /0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Asignado por tarea 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [en l\u00ednea] kasan_set_track mm/kasan/common.c:56 [en l\u00ednea] __kasan_kmalloc+0xdc/0x120 mm/kasan /common.c:461 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 kmem_cache_alloc_trace include/linux/slab.h:450 [en l\u00ednea] kmalloc include/linux/slab.h:552 [en l\u00ednea] kzalloc include/linux /slab.h:664 [en l\u00ednea] kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146 kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/. ./../../virt/kvm/kvm_main.c:3746 vfs_ioctl fs/ioctl.c:48 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:753 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:739 [en l\u00ednea] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [en l\u00ednea] invoke_syscall arch/arm64/kernel/syscall.c:48 [en l\u00ednea] el0_svc_common arch/arm64/kernel/syscall .c:158 [en l\u00ednea] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/ kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Liberado por la tarea 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c :48 [en l\u00ednea] kasan_set_track+0x38/0x6c mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 kasan_slab_free+0x10 /0x1c mm/kasan/common.c:431 slab_free_hook mm/slub.c:1544 [en l\u00ednea] slab_free_freelist_hook mm/slub.c:1577 [en l\u00ednea] slab_free mm/slub.c:3142 [en l\u00ednea] kfree+0x104/0x38c mm /slub.c:4124 coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102 kvm_iodevice_destructor include/kvm/iodev.h:61 [en l\u00ednea] kvm_io_bus_unregister_dev+ 0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374 kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm /coalesced_mmio.c:186 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [en l\u00ednea] __do_sys_ioctl fs/ioctl .c:753 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:739 ---truncado---"}], "id": "CVE-2021-47341", "lastModified": "2024-05-21T16:54:26.047", "metrics": {}, "published": "2024-05-21T15:15:20.850", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio", "id": "2282418", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282418"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nKVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio\nBUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\nRead of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269\nCPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\ndump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132\nshow_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196\n__dump_stack lib/dump_stack.c:77 [inline]\ndump_stack+0x110/0x164 lib/dump_stack.c:118\nprint_address_description+0x78/0x5c8 mm/kasan/report.c:385\n__kasan_report mm/kasan/report.c:545 [inline]\nkasan_report+0x148/0x1e4 mm/kasan/report.c:562\ncheck_memory_region_inline mm/kasan/generic.c:183 [inline]\n__asan_load8+0xb4/0xbc mm/kasan/generic.c:252\nkvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\nkvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\nvfs_ioctl fs/ioctl.c:48 [inline]\n__do_sys_ioctl fs/ioctl.c:753 [inline]\n__se_sys_ioctl fs/ioctl.c:739 [inline]\n__arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\ninvoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\nel0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\ndo_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\nel0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\nel0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\nel0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\nAllocated by task 4269:\nstack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\nkasan_save_stack mm/kasan/common.c:48 [inline]\nkasan_set_track mm/kasan/common.c:56 [inline]\n__kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461\nkasan_kmalloc+0xc/0x14 mm/kasan/common.c:475\nkmem_cache_alloc_trace include/linux/slab.h:450 [inline]\nkmalloc include/linux/slab.h:552 [inline]\nkzalloc include/linux/slab.h:664 [inline]\nkvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146\nkvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746\nvfs_ioctl fs/ioctl.c:48 [inline]\n__do_sys_ioctl fs/ioctl.c:753 [inline]\n__se_sys_ioctl fs/ioctl.c:739 [inline]\n__arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\ninvoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\nel0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\ndo_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\nel0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\nel0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\nel0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\nFreed by task 4269:\nstack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\nkasan_save_stack mm/kasan/common.c:48 [inline]\nkasan_set_track+0x38/0x6c mm/kasan/common.c:56\nkasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355\n__kasan_slab_free+0x124/0x150 mm/kasan/common.c:422\nkasan_slab_free+0x10/0x1c mm/kasan/common.c:431\nslab_free_hook mm/slub.c:1544 [inline]\nslab_free_freelist_hook mm/slub.c:1577 [inline]\nslab_free mm/slub.c:3142 [inline]\nkfree+0x104/0x38c mm/slub.c:4124\ncoalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102\nkvm_iodevice_destructor include/kvm/iodev.h:61 [inline]\nkvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374\nkvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186\nkvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\nvfs_ioctl fs/ioctl.c:48 [inline]\n__do_sys_ioctl fs/ioctl.c:753 [inline]\n__se_sys_ioctl fs/ioctl.c:739 [inline]\n__arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\ninvoke_syscall arch/arm64/kernel/sys\n---truncated---"], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2021-47341", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47341\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47341\nhttps://lore.kernel.org/linux-cve-announce/2024052137-CVE-2021-47341-f4e9@gregkh/T"], "statement": "This vulnerability is rated as a moderate severity because it can cause system crashes or instability by accessing invalid memory.", "threat_severity": "Moderate", "upstream_fix": "kernel 5.4.134, kernel 5.10.52, kernel 5.12.19, kernel 5.13.4, kernel 5.14"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object