Bug 2266216 (CVE-2021-46904)

Summary: CVE-2021-46904 kernel: null-ptr-deref during tty device unregistration
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel. A null-ptr-deref flaw was found during tty device unregistration.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2266217    
Bug Blocks: 2266218    

Description Rohit Keshri 2024-02-27 05:36:10 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: hso: fix null-ptr-deref during tty device unregistration

Multiple ttys try to claim the same the minor number causing a double
unregistration of the same device. The first unregistration succeeds
but the next one results in a null-ptr-deref.

The get_free_serial_index() function returns an available minor number
but doesn't assign it immediately. The assignment is done by the caller
later. But before this assignment, calls to get_free_serial_index()
would return the same minor number.

Fix this by modifying get_free_serial_index to assign the minor number
immediately after one is found to be and rename it to obtain_minor()
to better reflect what it does. Similary, rename set_serial_by_index()
to release_minor() and modify it to free up the minor number of the
given hso_serial. Every obtain_minor() should have corresponding
release_minor() call.

https://git.kernel.org/stable/c/145c89c441d27696961752bf51b323f347601bee
https://git.kernel.org/stable/c/388d05f70f1ee0cac4a2068fd295072f1a44152a
https://git.kernel.org/stable/c/4a2933c88399c0ebc738db39bbce3ae89786d723
https://git.kernel.org/stable/c/8a12f8836145ffe37e9c8733dce18c22fb668b66
https://git.kernel.org/stable/c/92028d7a31e55d53e41cff679156b9432cffcb36
https://git.kernel.org/stable/c/a462067d7c8e6953a733bf5ade8db947b1bb5449
https://git.kernel.org/stable/c/caf5ac93b3b5d5fac032fc11fbea680e115421b4
https://git.kernel.org/stable/c/dc195928d7e4ec7b5cfc6cd10dc4c8d87a7c72ac
Comment 1 Rohit Keshri 2024-02-27 05:40:09 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2266217]
Comment 3 Justin M. Forbes 2024-02-27 19:17:55 UTC 
This was fixed for Fedora with the 5.11.14 stable kernel updates.
Comment 5 Alex 2024-06-09 16:58:56 UTC 
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2021-46904 is: CHECK	Maybe valid. Check manually. with impact LOW (that is an approximation based on flags NULLPTR USB INIT  ; these flags parsed automatically based on patch data). Such automatic check happens only for Low/Moderates (and only when not from reporter, but parsing already existing CVE). Highs always checked manually (I check it myself and then we check it again in Remediation team). In rare cases some of the Moderates could be increased to High later.