CVE-2021-47459
Description
In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv It will trigger UAF for rx_kref of j1939_priv as following. cpu0 cpu1 j1939_sk_bind(socket0, ndev0, ...) j1939_netdev_start j1939_sk_bind(socket1, ndev0, ...) j1939_netdev_start j1939_priv_set j1939_priv_get_by_ndev_locked j1939_jsk_add ..... j1939_netdev_stop kref_put_lock(&priv->rx_kref, ...) kref_get(&priv->rx_kref, ...) REFCOUNT_WARN("addition on 0;...") ==================================================== refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0 RIP: 0010:refcount_warn_saturate+0x169/0x1e0 Call Trace: j1939_netdev_start+0x68b/0x920 j1939_sk_bind+0x426/0xeb0 ? security_socket_bind+0x83/0xb0 The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to protect.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-4928.html
Vendor advisory: alma — https://bugzilla.redhat.com/2293412
Vendor advisory: alma — https://bugzilla.redhat.com/2293316
Vendor advisory: alma — https://bugzilla.redhat.com/2284598
Vendor advisory: alma — https://bugzilla.redhat.com/2284506
Vendor advisory: alma — https://bugzilla.redhat.com/2282898
Vendor advisory: alma — https://bugzilla.redhat.com/2282669
Vendor advisory: alma — https://bugzilla.redhat.com/2281700
Vendor advisory: alma — https://bugzilla.redhat.com/2281647
Vendor advisory: alma — https://bugzilla.redhat.com/2281247
Vendor advisory: alma — https://bugzilla.redhat.com/2278473
Vendor advisory: alma — https://bugzilla.redhat.com/2278435
Vendor advisory: alma — https://bugzilla.redhat.com/2278337
Vendor advisory: alma — https://bugzilla.redhat.com/2275761
Vendor advisory: alma — https://bugzilla.redhat.com/2275690
Vendor advisory: alma — https://bugzilla.redhat.com/2273274
Vendor advisory: alma — https://bugzilla.redhat.com/2273236
Vendor advisory: alma — https://bugzilla.redhat.com/2265794
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:4928
Vendor advisory: rocky — https://errata.rockylinux.org/RXSA-2024:4928
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-47459
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-47459.html
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:4928
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| sles | affected | | |
| debian | bookworm | fixed | 5.14.16-1 |
| debian | bullseye | fixed | 5.10.84-1 |
| debian | forky | fixed | 5.14.16-1 |
| debian | sid | fixed | 5.14.16-1 |
| debian | trixie | fixed | 5.14.16-1 |
| rocky | 9 | fixed | |
References
- https://access.redhat.com/errata/RHSA-2024:4928
- https://www.suse.com/security/cve/CVE-2021-47459.html
- https://security-tracker.debian.org/tracker/CVE-2021-47459
- https://errata.rockylinux.org/RXSA-2024:4928
- https://errata.rockylinux.org/RLSA-2024:4928
- https://bugzilla.redhat.com/2265794
- https://bugzilla.redhat.com/2273236
- https://bugzilla.redhat.com/2273274
- https://bugzilla.redhat.com/2275690
- https://bugzilla.redhat.com/2275761
- https://bugzilla.redhat.com/2278337
- https://bugzilla.redhat.com/2278435
- https://bugzilla.redhat.com/2278473
- https://bugzilla.redhat.com/2281247
- https://bugzilla.redhat.com/2281647
- https://bugzilla.redhat.com/2281700
- https://bugzilla.redhat.com/2282669
- https://bugzilla.redhat.com/2282898
- https://bugzilla.redhat.com/2284506
- https://bugzilla.redhat.com/2284598
- https://bugzilla.redhat.com/2293316
- https://bugzilla.redhat.com/2293412
- https://errata.almalinux.org/9/ALSA-2024-4928.html
Verify integrity in audit chain (admin only). AS-IS.