CVE-2021-47589
- Source
- https://cve.org/CVERecord?id=CVE-2021-47589
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47589.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-47589
- Downstream
- Related
- Published
- 2024-06-19T15:15:53.490Z
- Modified
- 2026-03-13T05:20:50.602231Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
igbvf: fix double free in
igbvf_probeIn
igbvf_probe, if registernetdev() fails, the program will go to label errhwinit, and then to label errioremap. In freenetdev() which is just below label errioremap, there islist_for_each_entry_safeandnetif_napi_delwhich aims to delete all entries indev->napi_list. The program has added an entryadapter->rx_ring->napiwhich is added bynetif_napi_addin igbvfallocqueues(). However, adapter->rxring has been freed below label errhw_init. So this a UAF.In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before
adapter->rx_ring.The KASAN logs are as follows:
[ 35.126075] BUG: KASAN: use-after-free in freenetdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dumpstacklvl+0x59/0x7b [ 35.132865] printaddressdescription+0x7c/0x3b0 [ 35.133707] ? freenetdev+0x1fd/0x450 [ 35.134378] __kasanreport+0x160/0x1c0 [ 35.135063] ? freenetdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] freenetdev+0x1fd/0x450 [ 35.137006] igbvfprobe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvfvlanrxaddvid+0x100/0x100 [igbvf] [ 35.138751] localpciprobe+0x13c/0x1f0 [ 35.139461] pcideviceprobe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasankmalloc+0xc4/0xf0 [ 35.167117] fookmem_cachealloctrace+0x3c/0x50 [igbvf] [ 35.168078] igbvfprobe+0x9c5/0x1a10 [igbvf] [ 35.168866] localpciprobe+0x13c/0x1f0 [ 35.169565] pcideviceprobe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasansettrack+0x4c/0x80 [ 35.181211] kasansetfreeinfo+0x1f/0x40 [ 35.181942] ___kasanslabfree+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvfprobe+0x1173/0x1a10 [igbvf] [ 35.184040] localpciprobe+0x13c/0x1f0
- References
-
- https://git.kernel.org/stable/c/8addba6cab94ce01686ea2e80ed1530f9dc33a9a
- https://git.kernel.org/stable/c/8d0c927a9fb2b4065230936b77b54f857a3754fc
- https://git.kernel.org/stable/c/944b8be08131f5faf2cd2440aa1c24a39a163a54
- https://git.kernel.org/stable/c/b6d335a60dc624c0d279333b22c737faa765b028
- https://git.kernel.org/stable/c/cc9b655bb84f1be283293dfea94dff9a31b106ac
- https://git.kernel.org/stable/c/ffe1695b678729edec04037e691007900a2b2beb
- https://git.kernel.org/stable/c/74a16e062b23332d8db017ff4a41e16279c44411
- https://git.kernel.org/stable/c/79d9b092035dcdbe636b70433149df9cc6db1e49
Affected packages
Git /
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "2.6.30"
},
{
"fixed": "4.4.296"
}
]
},
{
"events": [
{
"introduced": "4.5"
},
{
"fixed": "4.9.294"
}
]
},
{
"events": [
{
"introduced": "4.10"
},
{
"fixed": "4.14.259"
}
]
},
{
"events": [
{
"introduced": "4.15"
},
{
"fixed": "4.19.222"
}
]
},
{
"events": [
{
"introduced": "4.20"
},
{
"fixed": "5.4.168"
}
]
},
{
"events": [
{
"introduced": "5.5"
},
{
"fixed": "5.10.88"
}
]
},
{
"events": [
{
"introduced": "5.11"
},
{
"fixed": "5.15.11"
}
]
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47589.json"