ghsa-w36p-947m-7c32
Vulnerability from github
Published
2024-02-28 09:30
Modified
2024-12-24 15:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

userfaultfd: release page in error path to avoid BUG_ON

Consider the following sequence of events:

  1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated.
  2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte().
  3. Meanwhile, let's say another process filled up the tmpfs being used.
  4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page.

This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned.

To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-46988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-28T09:15:37Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: release page in error path to avoid BUG_ON\n\nConsider the following sequence of events:\n\n1. Userspace issues a UFFD ioctl, which ends up calling into\n   shmem_mfill_atomic_pte(). We successfully account the blocks, we\n   shmem_alloc_page(), but then the copy_from_user() fails. We return\n   -ENOENT. We don\u0027t release the page we allocated.\n2. Our caller detects this error code, tries the copy_from_user() after\n   dropping the mmap_lock, and retries, calling back into\n   shmem_mfill_atomic_pte().\n3. Meanwhile, let\u0027s say another process filled up the tmpfs being used.\n4. So shmem_mfill_atomic_pte() fails to account blocks this time, and\n   immediately returns - without releasing the page.\n\nThis triggers a BUG_ON in our caller, which asserts that the page\nshould always be consumed, unless -ENOENT is returned.\n\nTo fix this, detect if we have such a \"dangling\" page when accounting\nfails, and if so, release it before returning.",
  "id": "GHSA-w36p-947m-7c32",
  "modified": "2024-12-24T15:30:31Z",
  "published": "2024-02-28T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46988"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07c9b834c97d0fa3402fb7f3f3b32df370a6ff1f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/140cfd9980124aecb6c03ef2e69c72d0548744de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d59a0ed8b26b8f3638d8afc31f839e27759f1f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/319116227e52d49eee671f0aa278bac89b3c1b69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ed9d238c7dbb1fdb63ad96a6184985151b0171c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ad53127973034c63b5348715a1043d0e80ceb330"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3f1731c6d7fbc1ebe3ed8eff6d6bec56d76ff43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.