CVE-2021-47338

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47338
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47338.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47338
Related
Published
2024-05-21T15:15:20Z
Modified
2024-09-11T04:41:08.182339Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

fbmem: Do not delete the mode that is still in use

The execution of fbdeletevideomode() is not based on the result of the previous fbconmodedeleted(). As a result, the mode is directly deleted, regardless of whether it is still in use, which may cause UAF.

================================================================== BUG: KASAN: use-after-free in fbmodeis_equal+0x36e/0x5e0 \ drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962

CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Call Trace: _dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x137/0x1be lib/dumpstack.c:118 printaddressdescription+0x6c/0x640 mm/kasan/report.c:385 _kasanreport mm/kasan/report.c:545 [inline] kasanreport+0x13d/0x1e0 mm/kasan/report.c:562 fbmodeisequal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924 fbconmodedeleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746 fbsetvar+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975 dofbioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfsioctl fs/ioctl.c:48 [inline] _dosysioctl fs/ioctl.c:753 [inline] _sesysioctl+0xfb/0x170 fs/ioctl.c:739 dosyscall64+0x2d/0x70 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x44/0xa9

Freed by task 18960: kasansavestack mm/kasan/common.c:48 [inline] kasansettrack+0x3d/0x70 mm/kasan/common.c:56 kasansetfreeinfo+0x17/0x30 mm/kasan/generic.c:355 _kasanslabfree+0x108/0x140 mm/kasan/common.c:422 slabfreehook mm/slub.c:1541 [inline] slabfreefreelisthook+0xd6/0x1a0 mm/slub.c:1574 slabfree mm/slub.c:3139 [inline] kfree+0xca/0x3d0 mm/slub.c:4121 fbdeletevideomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104 fbsetvar+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978 dofbioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfsioctl fs/ioctl.c:48 [inline] _dosysioctl fs/ioctl.c:753 [inline] _sesysioctl+0xfb/0x170 fs/ioctl.c:739 dosyscall64+0x2d/0x70 arch/x86/entry/common.c:46 entrySYSCALL64after_hwframe+0x44/0xa9

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.70-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}