CVE-2021-47375 - OpenCVE

Link	Providers
https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee
https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5
https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9
https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222
https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26
https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40
https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269
https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069
https://lore.kernel.org/linux-cve-announce/2024052141-CVE-2021-47375-8849@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2021-47375
https://www.cve.org/CVERecord?id=CVE-2021-47375

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H'}`	cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47375", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T14:58:30.811Z", "datePublished": "2024-05-21T15:03:39.090Z", "dateUpdated": "2024-11-04T12:04:42.277Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:04:42.277Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: Fix uaf in blk_trace access after removing by sysfs\n\nThere is an use-after-free problem triggered by following process:\n\n P1(sda)\t\t\t\tP2(sdb)\n\t\t\techo 0 > /sys/block/sdb/trace/enable\n\t\t\t blk_trace_remove_queue\n\t\t\t synchronize_rcu\n\t\t\t blk_trace_free\n\t\t\t relay_close\nrcu_read_lock\n__blk_add_trace\n trace_note_tsk\n (Iterate running_trace_list)\n\t\t\t relay_close_buf\n\t\t\t\t relay_destroy_buf\n\t\t\t\t kfree(buf)\n trace_note(sdb's bt)\n relay_reserve\n buf->offset <- nullptr deference (use-after-free) !!!\nrcu_read_unlock\n\n[ 502.714379] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n[ 502.715260] #PF: supervisor read access in kernel mode\n[ 502.715903] #PF: error_code(0x0000) - not-present page\n[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0\n[ 502.717252] Oops: 0000 [#1] SMP\n[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360\n[ 502.732872] Call Trace:\n[ 502.733193] __blk_add_trace.cold+0x137/0x1a3\n[ 502.733734] blk_add_trace_rq+0x7b/0xd0\n[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0\n[ 502.734755] blk_mq_start_request+0xde/0x1b0\n[ 502.735287] scsi_queue_rq+0x528/0x1140\n...\n[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0\n[ 502.747501] sg_ioctl+0x466/0x1100\n\nReproduce method:\n ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\n ioctl(/dev/sda, BLKTRACESTART)\n ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\n ioctl(/dev/sdb, BLKTRACESTART)\n\n echo 0 > /sys/block/sdb/trace/enable &\n // Add delay(mdelay/msleep) before kernel enters blk_trace_free()\n\n ioctl$SG_IO(/dev/sda, SG_IO, ...)\n // Enters trace_note_tsk() after blk_trace_free() returned\n // Use mdelay in rcu region rather than msleep(which may schedule out)\n\nRemove blk_trace from running_list before calling blk_trace_free() by\nsysfs if blk_trace is at Blktrace_running state."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/blktrace.c"], "versions": [{"version": "c71a89615411", "lessThan": "488da313edf3", "status": "affected", "versionType": "git"}, {"version": "c71a89615411", "lessThan": "dacfd5e4d114", "status": "affected", "versionType": "git"}, {"version": "c71a89615411", "lessThan": "d56171d9360c", "status": "affected", "versionType": "git"}, {"version": "c71a89615411", "lessThan": "677e362ba807", "status": "affected", "versionType": "git"}, {"version": "c71a89615411", "lessThan": "ebb8d26d93c3", "status": "affected", "versionType": "git"}, {"version": "c71a89615411", "lessThan": "3815fe7371d2", "status": "affected", "versionType": "git"}, {"version": "c71a89615411", "lessThan": "a5f8e8619261", "status": "affected", "versionType": "git"}, {"version": "c71a89615411", "lessThan": "5afedf670caf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/blktrace.c"], "versions": [{"version": "2.6.30", "status": "affected"}, {"version": "0", "lessThan": "2.6.30", "status": "unaffected", "versionType": "semver"}, {"version": "4.4.286", "lessThanOrEqual": "4.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.285", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.249", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.209", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.150", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.70", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.14.9", "lessThanOrEqual": "5.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5"}, {"url": "https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269"}, {"url": "https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40"}, {"url": "https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222"}, {"url": "https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069"}, {"url": "https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee"}, {"url": "https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26"}, {"url": "https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9"}], "title": "blktrace: Fix uaf in blk_trace access after removing by sysfs", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-17T17:37:23.607827Z", "id": "CVE-2021-47375", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-27T13:59:18.148Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:08.654Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:08.654Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-47375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-17T17:37:23.607827Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T17:37:24.813Z"}}], "cna": {"title": "blktrace: Fix uaf in blk_trace access after removing by sysfs", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "c71a89615411", "lessThan": "488da313edf3", "versionType": "git"}, {"status": "affected", "version": "c71a89615411", "lessThan": "dacfd5e4d114", "versionType": "git"}, {"status": "affected", "version": "c71a89615411", "lessThan": "d56171d9360c", "versionType": "git"}, {"status": "affected", "version": "c71a89615411", "lessThan": "677e362ba807", "versionType": "git"}, {"status": "affected", "version": "c71a89615411", "lessThan": "ebb8d26d93c3", "versionType": "git"}, {"status": "affected", "version": "c71a89615411", "lessThan": "3815fe7371d2", "versionType": "git"}, {"status": "affected", "version": "c71a89615411", "lessThan": "a5f8e8619261", "versionType": "git"}, {"status": "affected", "version": "c71a89615411", "lessThan": "5afedf670caf", "versionType": "git"}], "programFiles": ["kernel/trace/blktrace.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.30"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.30", "versionType": "semver"}, {"status": "unaffected", "version": "4.4.286", "versionType": "semver", "lessThanOrEqual": "4.4.*"}, {"status": "unaffected", "version": "4.9.285", "versionType": "semver", "lessThanOrEqual": "4.9.*"}, {"status": "unaffected", "version": "4.14.249", "versionType": "semver", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.209", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.150", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.70", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.14.9", "versionType": "semver", "lessThanOrEqual": "5.14.*"}, {"status": "unaffected", "version": "5.15", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["kernel/trace/blktrace.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5"}, {"url": "https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269"}, {"url": "https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40"}, {"url": "https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222"}, {"url": "https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069"}, {"url": "https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee"}, {"url": "https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26"}, {"url": "https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: Fix uaf in blk_trace access after removing by sysfs\n\nThere is an use-after-free problem triggered by following process:\n\n P1(sda)\t\t\t\tP2(sdb)\n\t\t\techo 0 > /sys/block/sdb/trace/enable\n\t\t\t blk_trace_remove_queue\n\t\t\t synchronize_rcu\n\t\t\t blk_trace_free\n\t\t\t relay_close\nrcu_read_lock\n__blk_add_trace\n trace_note_tsk\n (Iterate running_trace_list)\n\t\t\t relay_close_buf\n\t\t\t\t relay_destroy_buf\n\t\t\t\t kfree(buf)\n trace_note(sdb's bt)\n relay_reserve\n buf->offset <- nullptr deference (use-after-free) !!!\nrcu_read_unlock\n\n[ 502.714379] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n[ 502.715260] #PF: supervisor read access in kernel mode\n[ 502.715903] #PF: error_code(0x0000) - not-present page\n[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0\n[ 502.717252] Oops: 0000 [#1] SMP\n[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360\n[ 502.732872] Call Trace:\n[ 502.733193] __blk_add_trace.cold+0x137/0x1a3\n[ 502.733734] blk_add_trace_rq+0x7b/0xd0\n[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0\n[ 502.734755] blk_mq_start_request+0xde/0x1b0\n[ 502.735287] scsi_queue_rq+0x528/0x1140\n...\n[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0\n[ 502.747501] sg_ioctl+0x466/0x1100\n\nReproduce method:\n ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\n ioctl(/dev/sda, BLKTRACESTART)\n ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\n ioctl(/dev/sdb, BLKTRACESTART)\n\n echo 0 > /sys/block/sdb/trace/enable &\n // Add delay(mdelay/msleep) before kernel enters blk_trace_free()\n\n ioctl$SG_IO(/dev/sda, SG_IO, ...)\n // Enters trace_note_tsk() after blk_trace_free() returned\n // Use mdelay in rcu region rather than msleep(which may schedule out)\n\nRemove blk_trace from running_list before calling blk_trace_free() by\nsysfs if blk_trace is at Blktrace_running state."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:04:42.277Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47375", "state": "PUBLISHED", "dateUpdated": "2024-11-04T12:04:42.277Z", "dateReserved": "2024-05-21T14:58:30.811Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T15:03:39.090Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: Fix uaf in blk_trace access after removing by sysfs\n\nThere is an use-after-free problem triggered by following process:\n\n P1(sda)\t\t\t\tP2(sdb)\n\t\t\techo 0 > /sys/block/sdb/trace/enable\n\t\t\t blk_trace_remove_queue\n\t\t\t synchronize_rcu\n\t\t\t blk_trace_free\n\t\t\t relay_close\nrcu_read_lock\n__blk_add_trace\n trace_note_tsk\n (Iterate running_trace_list)\n\t\t\t relay_close_buf\n\t\t\t\t relay_destroy_buf\n\t\t\t\t kfree(buf)\n trace_note(sdb's bt)\n relay_reserve\n buf->offset <- nullptr deference (use-after-free) !!!\nrcu_read_unlock\n\n[ 502.714379] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n[ 502.715260] #PF: supervisor read access in kernel mode\n[ 502.715903] #PF: error_code(0x0000) - not-present page\n[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0\n[ 502.717252] Oops: 0000 [#1] SMP\n[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360\n[ 502.732872] Call Trace:\n[ 502.733193] __blk_add_trace.cold+0x137/0x1a3\n[ 502.733734] blk_add_trace_rq+0x7b/0xd0\n[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0\n[ 502.734755] blk_mq_start_request+0xde/0x1b0\n[ 502.735287] scsi_queue_rq+0x528/0x1140\n...\n[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0\n[ 502.747501] sg_ioctl+0x466/0x1100\n\nReproduce method:\n ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\n ioctl(/dev/sda, BLKTRACESTART)\n ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\n ioctl(/dev/sdb, BLKTRACESTART)\n\n echo 0 > /sys/block/sdb/trace/enable &\n // Add delay(mdelay/msleep) before kernel enters blk_trace_free()\n\n ioctl$SG_IO(/dev/sda, SG_IO, ...)\n // Enters trace_note_tsk() after blk_trace_free() returned\n // Use mdelay in rcu region rather than msleep(which may schedule out)\n\nRemove blk_trace from running_list before calling blk_trace_free() by\nsysfs if blk_trace is at Blktrace_running state."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blktrace: corrige uaf en el acceso a blk_trace despu\u00e9s de eliminarlo mediante sysfs. Hay un problema de use after free desencadenado por el siguiente proceso: P1(sda) P2(sdb) echo 0 > /sys /block/sdb/trace/enable blk_trace_remove_queue sincronizar_rcu blk_trace_free rel\u00e9_cerrar rcu_read_lock __blk_add_trace trace_note_tsk (Iterar running_trace_list) rel\u00e9_close_buf rel\u00e9_destroy_buf kfree(buf) trace_note(sdb's bt) rel\u00e9_reserve buf->offset <- deferencia nullptr (uso-despu\u00e9s) -gratis) !!! rcu_read_unlock [502.714379] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000010 [502.715260] #PF: acceso de lectura de supervisor en modo kernel [502.715903] #PF: error_code(0x0000) - p\u00e1gina no presente [502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Vaya: 0000 [#1] SMP [ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 [ 502.732872] Seguimiento de llamadas: [ 502.733193] 0x1a3 [502.733734] blk_add_trace_rq+ 0x7b/0xd0 [ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 [ 502.734755] blk_mq_start_request+0xde/0x1b0 [ 502.735287] scsi_queue_rq+0x528/0x1140 ... [ 502.7427 04] sg_new_write.isra.0+0x16e/0x3e0 [ 502.747501] sg_ioctl+0x466/0x1100 M\u00e9todo de reproducci\u00f3n: ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sdb , BLKTRACESTART) echo 0 > /sys/block/sdb/trace/enable & // Agrega retraso(mdelay/msleep) antes de que el kernel entre blk_trace_free() ioctl$SG_IO(/dev/sda, SG_IO, ...) // Entra trace_note_tsk() despu\u00e9s de que blk_trace_free() regresara // Utilice mdelay en la regi\u00f3n rcu en lugar de msleep (que puede programarse) Elimine blk_trace de running_list antes de llamar a blk_trace_free() mediante sysfs si blk_trace est\u00e1 en el estado Blktrace_running."}], "id": "CVE-2021-47375", "lastModified": "2024-10-27T14:35:02.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-21T15:15:23.290", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: blktrace: Fix uaf in blk_trace access after removing by sysfs", "id": "2282370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282370"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nblktrace: Fix uaf in blk_trace access after removing by sysfs\nThere is an use-after-free problem triggered by following process:\nP1(sda)P2(sdb)\necho 0 > /sys/block/sdb/trace/enable\nblk_trace_remove_queue\nsynchronize_rcu\nblk_trace_free\nrelay_close\nrcu_read_lock\n__blk_add_trace\ntrace_note_tsk\n(Iterate running_trace_list)\nrelay_close_buf\nrelay_destroy_buf\nkfree(buf)\ntrace_note(sdb's bt)\nrelay_reserve\nbuf->offset <- nullptr deference (use-after-free) !!!\nrcu_read_unlock\n[ 502.714379] BUG: kernel NULL pointer dereference, address:\n0000000000000010\n[ 502.715260] #PF: supervisor read access in kernel mode\n[ 502.715903] #PF: error_code(0x0000) - not-present page\n[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0\n[ 502.717252] Oops: 0000 [#1] SMP\n[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360\n[ 502.732872] Call Trace:\n[ 502.733193] __blk_add_trace.cold+0x137/0x1a3\n[ 502.733734] blk_add_trace_rq+0x7b/0xd0\n[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0\n[ 502.734755] blk_mq_start_request+0xde/0x1b0\n[ 502.735287] scsi_queue_rq+0x528/0x1140\n...\n[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0\n[ 502.747501] sg_ioctl+0x466/0x1100\nReproduce method:\nioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\nioctl(/dev/sda, BLKTRACESTART)\nioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])\nioctl(/dev/sdb, BLKTRACESTART)\necho 0 > /sys/block/sdb/trace/enable &\n// Add delay(mdelay/msleep) before kernel enters blk_trace_free()\nioctl$SG_IO(/dev/sda, SG_IO, ...)\n// Enters trace_note_tsk() after blk_trace_free() returned\n// Use mdelay in rcu region rather than msleep(which may schedule out)\nRemove blk_trace from running_list before calling blk_trace_free() by\nsysfs if blk_trace is at Blktrace_running state."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2021-47375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47375\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47375\nhttps://lore.kernel.org/linux-cve-announce/2024052141-CVE-2021-47375-8849@gregkh/T"], "statement": "This vulnerability is rated as a moderate severity because it can cause system crashes due to improper memory access, but it does not allows an attacker to directly compromise system security or access sensitive data.", "threat_severity": "Moderate", "upstream_fix": "kernel 4.4.286, kernel 4.9.285, kernel 4.14.249, kernel 4.19.209, kernel 5.4.150, kernel 5.10.70, kernel 5.14.9, kernel 5.15"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object