CVE-2021-47638

Summary

In the Linux kernel, the following vulnerability has been resolved:

ubifs: rename_whiteout: Fix double free for whiteout_ui->data

'whiteout_ui->data' will be freed twice if space budget fail for rename whiteout operation as following process:

rename_whiteout dev = kmalloc whiteout_ui->data = dev kfree(whiteout_ui->data) // Free first time iput(whiteout) ubifs_free_inode kfree(ui->data) // Double free!

KASAN reports:

BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70 Call Trace: kfree+0x117/0x490 ubifs_free_inode+0x4f/0x70 [ubifs] i_callback+0x30/0x60 rcu_do_batch+0x366/0xac0 __do_softirq+0x133/0x57f

Allocated by task 1506: kmem_cache_alloc_trace+0x3c2/0x7a0 do_rename+0x9b7/0x1150 [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80

Freed by task 1506: kfree+0x117/0x490 do_rename.cold+0x53/0x8a [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80

The buggy address belongs to the object at ffff88810238bed8 which belongs to the cache kmalloc-8 of size 8

Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode() -> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it (because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release', and the nlink of whiteout inode is 0).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 < 8b3c7be16f3f4dfd6e15ac651484e59d3fa36274affected
LinuxLinux9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 < 2b3236ecf96db7af5836e1366ce39ace8ce832faaffected
LinuxLinux9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 < 14276d38c89a170363e90b6ac0a53c3cf61b87fcaffected
LinuxLinux9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 < a90e2dbe66d2647ff95a0442ad2e86482d977fd8affected
LinuxLinux9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 < 2ad07009c459e56ebdcc089d850d664660fdb742affected
LinuxLinux9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 < b9a937f096e608b3368c1abc920d4d640ba2c94faffected
LinuxLinux9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 < 6d7a158a7363c1f6604aa47ae1a280a5c65123ddaffected
LinuxLinux9e0a1fff8db56eaaebb74b4a3ef65f86811c4798 < 40a8f0d5e7b3999f096570edab71c345da812e3eaffected
LinuxLinux4.9affected
LinuxLinux0 < 4.9unaffected
LinuxLinux4.14.276 <= 4.14.*unaffected
LinuxLinux4.19.238 <= 4.19.*unaffected
LinuxLinux5.4.189 <= 5.4.*unaffected
LinuxLinux5.10.110 <= 5.10.*unaffected
LinuxLinux5.15.33 <= 5.15.*unaffected
LinuxLinux5.16.19 <= 5.16.*unaffected
LinuxLinux5.17.2 <= 5.17.*unaffected
LinuxLinux5.18 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References