Bug 2063236 (CVE-2021-39713)

Summary: CVE-2021-39713 kernel: race condition in the network scheduling subsystem could lead to an use-after-free
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact: Li Shuang <shuali>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, allarkin, bdettelb, bhu, chwhite, crwood, dcaratti, dvlasenk, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jthierry, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kpatch-maint-bot, lgoncalv, linville, lzampier, masami256, mchehab, michal.skrivanek, mperina, nmurray, nobody, ptalbert, qzhao, rhandlin, rkeshri, rvrbovsk, scweaver, shuali, steved, vkumar, walters, williams, ycote, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.1 rc1 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s network scheduling subsystem due to a race condition. This flaw allows a local user to cause a denial of service (memory corruption or crash) or privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2063237, 2063841, 2063842, 2063843, 2063844, 2063845, 2063846, 2063847, 2063848, 2063849, 2063850, 2063851, 2063852, 2064650    
Bug Blocks: 2063238    

Description Guilherme de Almeida Suckevicz 2022-03-11 14:55:38 UTC 
The syzbot tool found a race condition in the network scheduling subsystem which could lead to a use-after-free. A local user could exploit this for denial of service (memory corruption or crash) or possibly for privilege escalation.

References and upstream patches:
https://source.android.com/security/bulletin/pixel/2022-03-01
https://android.googlesource.com/kernel/common/+/e368fdb61d8e7
https://android.googlesource.com/kernel/common/+/9d7e82cec35c0
https://android.googlesource.com/kernel/common/+/3a7d0d07a3867
https://android.googlesource.com/kernel/common/+/86bd446b5cebd
https://android.googlesource.com/kernel/common/+/6f99528e97977
Comment 1 Guilherme de Almeida Suckevicz 2022-03-11 14:57:12 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2063237]
Comment 2 Justin M. Forbes 2022-03-11 17:05:01 UTC 
These fixes went upstream in 4.20 and addressed in Fedora with the 4.20.x kernel rebases.