DEBIAN-CVE-2021-46988
- Source
- https://security-tracker.debian.org/tracker/CVE-2021-46988
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2021-46988.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2021-46988
- Upstream
- Published
- 2024-02-28T09:15:37Z
- Modified
- 2025-09-25T22:40:28Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUGON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmemmfillatomicpte(). We successfully account the blocks, we shmemallocpage(), but then the copyfromuser() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copyfromuser() after dropping the mmaplock, and retries, calling back into shmemmfillatomicpte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmemmfillatomicpte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUGON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning.
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source