CVE-2021-47656
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
When we mount a jffs2 image, assume that the first few blocks of the image are normal and contain at least one xattr-related inode, but the next block is abnormal. As a result, an error is returned in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then called in jffs2_build_filesystem() and then again in jffs2_do_fill_super().
Finally we can observe the following report:
BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac Read of size 8 at addr ffff8881243384e0 by task mount/719
Call Trace: dump_stack+0x115/0x16b jffs2_clear_xattr_subsystem+0x95/0x6ac jffs2_do_fill_super+0x84f/0xc30 jffs2_fill_super+0x2ea/0x4c0 mtd_get_sb+0x254/0x400 mtd_get_sb_by_nr+0x4f/0xd0 get_tree_mtd+0x498/0x840 jffs2_get_tree+0x25/0x30 vfs_get_tree+0x8d/0x2e0 path_mount+0x50f/0x1e50 do_mount+0x107/0x130 __se_sys_mount+0x1c5/0x2f0 __x64_sys_mount+0xc7/0x160 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 719: kasan_save_stack+0x23/0x60 __kasan_kmalloc.constprop.0+0x10b/0x120 kasan_slab_alloc+0x12/0x20 kmem_cache_alloc+0x1c0/0x870 jffs2_alloc_xattr_ref+0x2f/0xa0 jffs2_scan_medium.cold+0x3713/0x4794 jffs2_do_mount_fs.cold+0xa7/0x2253 jffs2_do_fill_super+0x383/0xc30 jffs2_fill_super+0x2ea/0x4c0 […]
Freed by task 719: kmem_cache_free+0xcc/0x7b0 jffs2_free_xattr_ref+0x78/0x98 jffs2_clear_xattr_subsystem+0xa1/0x6ac jffs2_do_mount_fs.cold+0x5e6/0x2253 jffs2_do_fill_super+0x383/0xc30 jffs2_fill_super+0x2ea/0x4c0 […]
The buggy address belongs to the object at ffff8881243384b8 which belongs to the cache jffs2_xattr_ref of size 48 The buggy address is located 40 bytes inside of 48-byte region [ffff8881243384b8, ffff8881243384e8) […]
The triggering of the BUG is shown in the following stack:
jffs2_fill_super jffs2_do_fill_super jffs2_do_mount_fs jffs2_build_filesystem jffs2_scan_medium jffs2_scan_eraseblock <— ERROR jffs2_clear_xattr_subsystem <— free jffs2_clear_xattr_subsystem <— free again
An error is returned in jffs2_do_mount_fs(). If the error is returned by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to be executed. If the error is returned by jffs2_build_filesystem(), the jffs2_clear_xattr_subsystem() also does not need to be executed again. So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root' to fix this UAF problem.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < 9150cb625b46f68d524f4cfd491f1aafc23e10a9 | affected |
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < 3bd2454162ec6bbb5503233c804fce6e4b6dcec5 | affected |
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < c3b07c875fa8f906f932976460fd14798596f101 | affected |
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < 30bf7244acf32f19cb722c39f7bc1c2a9f300422 | affected |
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < 7bb7428dd73991bf4b3a7a61b493ca50046c2b13 | affected |
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < 7a75740206af5f17e9f3efa384211cba70213da1 | affected |
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < 22327bd7988f21de3a53c1373f3b81542bfe1f44 | affected |
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < 8c0f024f29e055840a5a89fe23b96ae3f921afed | affected |
| Linux | Linux | aa98d7cf59b5b0764d3502662053489585faf2fe < 4c7c44ee1650677fbe89d86edbad9497b7679b5c | affected |
| Linux | Linux | 2.6.18 | affected |
| Linux | Linux | 0 < 2.6.18 | unaffected |
| Linux | Linux | 4.9.311 <= 4.9.* | unaffected |
| Linux | Linux | 4.14.276 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.238 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.189 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.110 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.33 <= 5.15.* | unaffected |
| Linux | Linux | 5.16.19 <= 5.16.* | unaffected |
| Linux | Linux | 5.17.2 <= 5.17.* | unaffected |
| Linux | Linux | 5.18 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://git.kernel.org/stable/c/9150cb625b46f68d524f4cfd491f1aafc23e10a9
- https://git.kernel.org/stable/c/3bd2454162ec6bbb5503233c804fce6e4b6dcec5
- https://git.kernel.org/stable/c/c3b07c875fa8f906f932976460fd14798596f101
- https://git.kernel.org/stable/c/30bf7244acf32f19cb722c39f7bc1c2a9f300422
- https://git.kernel.org/stable/c/7bb7428dd73991bf4b3a7a61b493ca50046c2b13
- https://git.kernel.org/stable/c/7a75740206af5f17e9f3efa384211cba70213da1
- https://git.kernel.org/stable/c/22327bd7988f21de3a53c1373f3b81542bfe1f44
- https://git.kernel.org/stable/c/8c0f024f29e055840a5a89fe23b96ae3f921afed
- https://git.kernel.org/stable/c/4c7c44ee1650677fbe89d86edbad9497b7679b5c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.