CVE-2021-46921

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-46921
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46921.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-46921
Related
Published
2024-02-27T10:15:06Z
Modified
2024-09-11T02:00:06Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

locking/qrwlock: Fix ordering in queuedwritelock_slowpath()

While this code is executed with the waitlock held, a reader can acquire the lock without holding waitlock. The writer side loops checking the value with the atomiccondread_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isn’t ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired.

We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it.

Writer | Reader


epscanreadylist() | |- writelockirq() | |- queuedwritelockslowpath() | |- atomiccondreadacquire() | | readlockirqsave(&ep->lock, flags); --> (observes value before unlock) | chainepilockless() | | epi->next = xchg(&ep->ovflist, epi); | | readunlockirqrestore(&ep->lock, flags); | | | atomiccmpxchgrelaxed() | |-- READONCE(ep->ovflist); |

A core can order the read of the ovflist ahead of the atomiccmpxchgrelaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomiccondread can be switched to use relaxed semantics.

[peterz: use try_cmpxchg()]

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}