Bug 2063228 (CVE-2021-39698)

Summary: CVE-2021-39698 kernel: use-after-free in the file polling implementation
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, aquini, bdettelb, bhu, chwhite, crwood, dbohanno, dvlasenk, esandeen, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, jmoyer, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jthierry, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kpatch-maint-bot, lgoncalv, linville, lzampier, masami256, mchehab, michal.skrivanek, mperina, nmurray, nobody, ptalbert, qzhao, rhandlin, rkeshri, rvrbovsk, scweaver, steved, vkumar, walters, williams, xzhou, ycote, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.16 rc5 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel’s file polling implementation in kernel/sched/wait.c., which leads to a use-after-free problem. This flaw allows a local user to cause a denial of service (memory corruption or crash) or privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2063229, 2063627, 2063628, 2063629, 2063630, 2063631, 2063632, 2063633, 2063634, 2063635, 2063636, 2063637, 2063638, 2063639, 2063640, 2063641, 2063642, 2063643, 2063644, 2063645, 2063646, 2063647, 2063648, 2063649, 2063650, 2063651, 2063652, 2063653, 2063654, 2063655, 2063656, 2063657, 2063658, 2063694, 2063695, 2065566    
Bug Blocks: 2063231    

Description Guilherme de Almeida Suckevicz 2022-03-11 14:42:01 UTC 
A vulnerability was found in the file polling implementation, which could lead to a use-after-free. A local user could exploit this for denial of service (memory corruption or crash) or possibly for privilege escalation.

References and upstream patches:
https://source.android.com/security/bulletin/2022-03-01
https://android.googlesource.com/kernel/common/+/42288cb44c4b
https://android.googlesource.com/kernel/common/+/a880b28a71e3
https://android.googlesource.com/kernel/common/+/9537bae0da1f
https://android.googlesource.com/kernel/common/+/363bee27e258
https://android.googlesource.com/kernel/common/+/50252e4b5e98
Comment 1 Guilherme de Almeida Suckevicz 2022-03-11 14:43:00 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2063229]
Comment 2 Justin M. Forbes 2022-03-11 16:54:19 UTC 
This was fixed for Fedora with the 5.15.8 stable kernel update.
Comment 20 Sandro Bonazzola 2022-03-18 08:34:28 UTC 
Created kernel tracking bugs for this issue:

Affects: ovirt-4.4 [bug 2065566]
Comment 31 Rohit Keshri 2022-04-05 13:57:15 UTC 
There was no shipped kernel version that was seen affected by this problem.