CVE-2021-46972

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-46972
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46972.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-46972
Related
Published
2024-02-27T19:04:07Z
Modified
2024-09-11T02:00:05Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ovl: fix leaked dentry

Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a metacopy error, which leads to dentry leaks when shutting down the related superblock:

overlayfs: refusing to follow metacopy origin for (/file0) ... BUG: Dentry (_ptrval){i=3f33,n=file3} still in use (1) [unmount of overlay overlay] ... WARNING: CPU: 1 PID: 432 at umountcheck.cold+0x107/0x14d CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1 ... RIP: 0010:umountcheck.cold+0x107/0x14d ... Call Trace: dwalk+0x28c/0x950 ? dentrylruisolate+0x2b0/0x2b0 ? _kasanslabfree+0x12/0x20 doonetree+0x33/0x60 shrinkdcacheforumount+0x78/0x1d0 genericshutdownsuper+0x70/0x440 killanonsuper+0x3e/0x70 deactivatelockedsuper+0xc4/0x160 deactivatesuper+0xfa/0x140 cleanupmnt+0x22e/0x370 _cleanupmnt+0x1a/0x30 taskworkrun+0x139/0x210 doexit+0xb0c/0x2820 ? _kasancheckread+0x1d/0x30 ? findheldlock+0x35/0x160 ? lockrelease+0x1b6/0x660 ? mmupdatenextowner+0xa20/0xa20 ? reacquireheldlocks+0x3f0/0x3f0 ? _sanitizercovtraceconstcmp4+0x22/0x30 dogroupexit+0x135/0x380 _dosysexitgroup.isra.0+0x20/0x20 _x64sysexitgroup+0x3c/0x50 dosyscall64+0x45/0x70 entrySYSCALL64after_hwframe+0x44/0xae ... VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day...

This fix has been tested with a syzkaller reproducer.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}