CVE-2021-47459

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47459
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47459.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47459
Related
Published
2024-05-22T07:15:10Z
Modified
2024-09-11T04:41:11.616316Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

can: j1939: j1939netdevstart(): fix UAF for rxkref of j1939priv

It will trigger UAF for rxkref of j1939priv as following.

    cpu0                                    cpu1

j1939skbind(socket0, ndev0, ...) j1939netdevstart j1939skbind(socket1, ndev0, ...) j1939netdevstart j1939privset j1939privgetbyndevlocked j1939jskadd ..... j1939netdevstop krefputlock(&priv->rxkref, ...) krefget(&priv->rxkref, ...) REFCOUNT_WARN("addition on 0;...")

==================================================== refcountt: addition on 0; use-after-free. WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcountwarnsaturate+0x169/0x1e0 RIP: 0010:refcountwarnsaturate+0x169/0x1e0 Call Trace: j1939netdevstart+0x68b/0x920 j1939skbind+0x426/0xeb0 ? securitysocket_bind+0x83/0xb0

The rxkref's krefget() and krefput() should use j1939netdev_lock to protect.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}