发布于3月6日3月6日 Members Amazon Linux AMI 2: CVE-2021-47299: Security patch for kernel (ALASKERNEL-5.10-2022-004) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 05/21/2024 Created 12/13/2024 Added 12/12/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: xdp, net: Fix use-after-free in bpf_xdp_link_release The problem occurs between dev_get_by_index() and dev_xdp_attach_link(). At this point, dev_xdp_uninstall() is called. Then xdp link will not be detached automatically when dev is released. But link->dev already points to dev, when xdp link is released, dev will still be accessed, but dev has been released. dev_get_by_index()| link->dev = dev | |rtnl_lock() |unregister_netdevice_many() |dev_xdp_uninstall() |rtnl_unlock() rtnl_lock();| dev_xdp_attach_link() | rtnl_unlock();| |netdev_run_todo() // dev released bpf_xdp_link_release()| /* access dev.| use-after-free */| [ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0 [ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732 [ 45.968297] [ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22 [ 45.969222] Hardware name: linux,dummy-virt (DT) [ 45.969795] Call trace: [ 45.970106]dump_backtrace+0x0/0x4c8 [ 45.970564]show_stack+0x30/0x40 [ 45.970981]dump_stack_lvl+0x120/0x18c [ 45.971470]print_address_description.constprop.0+0x74/0x30c [ 45.972182]kasan_report+0x1e8/0x200 [ 45.972659]__asan_report_load8_noabort+0x2c/0x50 [ 45.973273]bpf_xdp_link_release+0x3b8/0x3d0 [ 45.973834]bpf_link_free+0xd0/0x188 [ 45.974315]bpf_link_put+0x1d0/0x218 [ 45.974790]bpf_link_release+0x3c/0x58 [ 45.975291]__fput+0x20c/0x7e8 [ 45.975706]____fput+0x24/0x30 [ 45.976117]task_work_run+0x104/0x258 [ 45.976609]do_notify_resume+0x894/0xaf8 [ 45.977121]work_pending+0xc/0x328 [ 45.977575] [ 45.977775] The buggy address belongs to the page: [ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998 [ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff) [ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000 [ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 45.982259] page dumped because: kasan: bad access detected [ 45.982948] [ 45.983153] Memory state around the buggy address: [ 45.983753]ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.984645]ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.986419] ^ [ 45.987112]ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988006]ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988895] ================================================================== [ 45.989773] Disabling lock debugging due to kernel taint [ 45.990552] Kernel panic - not syncing: panic_on_warn set ... [ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: GB 5.13.0+ #22 [ 45.991929] Hardware name: linux,dummy-virt (DT) [ 45.992448] Call trace: [ 45.992753]dump_backtrace+0x0/0x4c8 [ 45.993208]show_stack+0x30/0x40 [ 45.993627]dump_stack_lvl+0x120/0x18c [ 45.994113]dump_stack+0x1c/0x34 [ 45.994530]panic+0x3a4/0x7d8 [ 45.994930]end_report+0x194/0x198 [ 45.995380]kasan_report+0x134/0x200 [ 45.995850]__asan_report_load8_noabort+0x2c/0x50 [ 45.996453]bpf_xdp_link_release+0x3b8/0x3d0 [ 45.997007]bpf_link_free+0xd0/0x188 [ 45.997474]bpf_link_put+0x1d0/0x218 [ 45.997942]bpf_link_release+0x3c/0x58 [ 45.998429]__fput+0x20c/0x7e8 [ 45.998833]____fput+0x24/0x30 [ 45.999247]task_work_run+0x104/0x258 [ 45.999731]do_notify_resume+0x894/0xaf8 [ 46.000236]work_pending ---truncated--- Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-5-10-59-52-142 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2021-47299 AL2/ALASKERNEL-5.10-2022-004 CVE - 2021-47299
