CVE-2021-47068

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47068
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47068.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47068
Related
Published
2024-02-29T23:15:08Z
Modified
2024-09-11T02:00:04Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net/nfc: fix use-after-free llcpsockbind/connect

Commits 8a4cd82d ("nfc: fix refcount leak in llcpsockconnect()") and c33b1cc62 ("nfc: fix refcount leak in llcpsockbind()") fixed a refcount leak bug in bind/connect but introduced a use-after-free if the same local is assigned to 2 different sockets.

This can be triggered by the following simple program: int sock1 = socket( AFNFC, SOCKSTREAM, NFCSOCKPROTOLLCP ); int sock2 = socket( AFNFC, SOCKSTREAM, NFCSOCKPROTOLLCP ); memset( &addr, 0, sizeof(struct sockaddrnfcllcp) ); addr.safamily = AFNFC; addr.nfcprotocol = NFCPROTONFCDEP; bind( sock1, (struct sockaddr) &addr, sizeof(struct sockaddr_nfc_llcp) ) bind( sock2, (struct sockaddr) &addr, sizeof(struct sockaddrnfcllcp) ) close(sock1); close(sock2);

Fix this by assigning NULL to llcpsock->local after calling nfcllcplocalput.

This addresses CVE-2021-23134.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}