发布于3月6日3月6日 Members Ubuntu: (CVE-2021-47379): linux vulnerability Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 05/21/2024 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd KASAN reports a use-after-free report when doing fuzz test: [693354.104835] ================================================================== [693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 [693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 [693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 [693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 [693354.105612] Call Trace: [693354.105621]dump_stack+0xf1/0x19b [693354.105626]? show_regs_print_info+0x5/0x5 [693354.105634]? printk+0x9c/0xc3 [693354.105638]? cpumask_weight+0x1f/0x1f [693354.105648]print_address_description+0x70/0x360 [693354.105654]kasan_report+0x1b2/0x330 [693354.105659]? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105665]? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105670]bfq_io_set_weight_legacy+0xd3/0x160 [693354.105675]? bfq_cpd_init+0x20/0x20 [693354.105683]cgroup_file_write+0x3aa/0x510 [693354.105693]? ___slab_alloc+0x507/0x540 [693354.105698]? cgroup_file_poll+0x60/0x60 [693354.105702]? 0xffffffff89600000 [693354.105708]? usercopy_abort+0x90/0x90 [693354.105716]? mutex_lock+0xef/0x180 [693354.105726]kernfs_fop_write+0x1ab/0x280 [693354.105732]? cgroup_file_poll+0x60/0x60 [693354.105738]vfs_write+0xe7/0x230 [693354.105744]ksys_write+0xb0/0x140 [693354.105749]? __ia32_sys_read+0x50/0x50 [693354.105760]do_syscall_64+0x112/0x370 [693354.105766]? syscall_return_slowpath+0x260/0x260 [693354.105772]? do_page_fault+0x9b/0x270 [693354.105779]? prepare_exit_to_usermode+0xf9/0x1a0 [693354.105784]? enter_from_user_mode+0x30/0x30 [693354.105793]entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.105875] Allocated by task 1453337: [693354.106001]kasan_kmalloc+0xa0/0xd0 [693354.106006]kmem_cache_alloc_node_trace+0x108/0x220 [693354.106010]bfq_pd_alloc+0x96/0x120 [693354.106015]blkcg_activate_policy+0x1b7/0x2b0 [693354.106020]bfq_create_group_hierarchy+0x1e/0x80 [693354.106026]bfq_init_queue+0x678/0x8c0 [693354.106031]blk_mq_init_sched+0x1f8/0x460 [693354.106037]elevator_switch_mq+0xe1/0x240 [693354.106041]elevator_switch+0x25/0x40 [693354.106045]elv_iosched_store+0x1a1/0x230 [693354.106049]queue_attr_store+0x78/0xb0 [693354.106053]kernfs_fop_write+0x1ab/0x280 [693354.106056]vfs_write+0xe7/0x230 [693354.106060]ksys_write+0xb0/0x140 [693354.106064]do_syscall_64+0x112/0x370 [693354.106069]entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106114] Freed by task 1453336: [693354.106225]__kasan_slab_free+0x130/0x180 [693354.106229]kfree+0x90/0x1b0 [693354.106233]blkcg_deactivate_policy+0x12c/0x220 [693354.106238]bfq_exit_queue+0xf5/0x110 [693354.106241]blk_mq_exit_sched+0x104/0x130 [693354.106245]__elevator_exit+0x45/0x60 [693354.106249]elevator_switch_mq+0xd6/0x240 [693354.106253]elevator_switch+0x25/0x40 [693354.106257]elv_iosched_store+0x1a1/0x230 [693354.106261]queue_attr_store+0x78/0xb0 [693354.106264]kernfs_fop_write+0x1ab/0x280 [693354.106268]vfs_write+0xe7/0x230 [693354.106271]ksys_write+0xb0/0x140 [693354.106275]do_syscall_64+0x112/0x370 [693354.106280]entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106329] The buggy address belongs to the object at ffff888be0a35580 which belongs to the cache kmalloc-1k of size 1024 [693354.106736] The buggy address is located 228 bytes inside of 1024-byte region [ffff888be0a35580, ffff888be0a35980) [693354.107114] The buggy address belongs to the page: [693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 [693354.107606] flags: 0x17ffffc0008100(slab|head) [693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 [693354.108020] r ---truncated--- Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-4 ubuntu-upgrade-linux-aws-fips ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-5-4 ubuntu-upgrade-linux-azure-fips ubuntu-upgrade-linux-bluefield ubuntu-upgrade-linux-fips ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-5-4 ubuntu-upgrade-linux-gcp-fips ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-hwe-5-4 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-4 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-raspi-5-4 References https://attackerkb.com/topics/cve-2021-47379 CVE - 2021-47379 https://git.kernel.org/linus/858560b27645e7e97aca37ee8f232cccd658fbd2 https://git.kernel.org/stable/c/7c2c69e010431b0157c9454adcdd2305809bf9fb https://git.kernel.org/stable/c/858560b27645e7e97aca37ee8f232cccd658fbd2 https://git.kernel.org/stable/c/d12ddd843f1877de1f7dd2aeea4907cf9ff3ac08 https://git.kernel.org/stable/c/f58d305887ad7b24986d58e881f6806bb81b2bdf https://www.cve.org/CVERecord?id=CVE-2021-47379 View more
