In the Linux kernel, the following vulnerability has been resolved: KVM:
mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio
BUG: KASAN: use-after-free in
kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec
arch/arm64/kvm/…/…/…/virt/kvm/coalesced_mmio.c:183 Read of size 8 at
addr ffff0000c03a2500 by task syz-executor083/4269 CPU: 5 PID: 4269 Comm:
syz-executor083 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT)
Call trace: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132
show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack
lib/dump_stack.c:77 [inline] dump_stack+0x110/0x164 lib/dump_stack.c:118
print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report
mm/kasan/report.c:545 [inline] kasan_report+0x148/0x1e4
mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:183
[inline] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252
kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec
arch/arm64/kvm/…/…/…/virt/kvm/coalesced_mmio.c:183
kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/…/…/…/virt/kvm/kvm_main.c:3755
vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c
fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common
arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290
arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28
arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170
arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180
arch/arm64/kernel/entry.S:670 Allocated by task 4269:
stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack
mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 kasan_kmalloc+0xc/0x14
mm/kasan/common.c:475 kmem_cache_alloc_trace include/linux/slab.h:450
[inline] kmalloc include/linux/slab.h:552 [inline] kzalloc
include/linux/slab.h:664 [inline]
kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc
arch/arm64/kvm/…/…/…/virt/kvm/coalesced_mmio.c:146
kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/…/…/…/virt/kvm/kvm_main.c:3746
vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c
fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common
arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290
arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28
arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170
arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180
arch/arm64/kernel/entry.S:670 Freed by task 4269:
stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack
mm/kasan/common.c:48 [inline] kasan_set_track+0x38/0x6c
mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355
__kasan_slab_free+0x124/0x150 mm/kasan/common.c:422
kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 slab_free_hook
mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline]
slab_free mm/slub.c:3142 [inline] kfree+0x104/0x38c mm/slub.c:4124
coalesced_mmio_destructor+0x94/0xa4
arch/arm64/kvm/…/…/…/virt/kvm/coalesced_mmio.c:102
kvm_iodevice_destructor include/kvm/iodev.h:61 [inline]
kvm_io_bus_unregister_dev+0x248/0x280
arch/arm64/kvm/…/…/…/virt/kvm/kvm_main.c:4374
kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec
arch/arm64/kvm/…/…/…/virt/kvm/coalesced_mmio.c:186
kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/…/…/…/virt/kvm/kvm_main.c:3755
vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c
fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall arch/arm64/kernel/sys —truncated—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure-5.4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-bluefield | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gcp | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-gcp-5.4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gkeop | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-hwe-5.4 | < any | UNKNOWN |
git.kernel.org/linus/23fa2e46a5556f787ce2ea1a315d3ab93cced204 (5.14-rc2)
git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e
git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204
git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066
git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061
git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a
launchpad.net/bugs/cve/CVE-2021-47341
nvd.nist.gov/vuln/detail/CVE-2021-47341
security-tracker.debian.org/tracker/CVE-2021-47341
www.cve.org/CVERecord?id=CVE-2021-47341