Bug 2036682 (CVE-2021-4202) - CVE-2021-4202 kernel: Race condition in nci_request() leads to use after free while the device is getting removed
Summary: CVE-2021-4202 kernel: Race condition in nci_request() leads to use after free...
Keywords:
Status: NEW
Alias: CVE-2021-4202
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2038123
Blocks: 2036683 2038882
TreeView+ depends on / blocked
 
Reported: 2022-01-03 15:05 UTC by Pedro Sampaio
Modified: 2022-01-13 19:02 UTC (History)
48 users (show)

Fixed In Version: kernel 5.16 rc2
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2022-01-03 15:05:54 UTC
A flaw was found in the Linux kernel. Similar to the CVE-2021-35373, the nci_request() function in NFC NCI code also suffers from a data race. This race will allow __nci_request() to be awaken while the device is getting removed and cause UAF. The attacker can spray the released object to gain powerful primitive.

Upstream commit:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=86cdf8e38792545161dbe3350a7eced558ba4d15
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=48b71a9e66c2eab60564b1b1c85f4928ed04e406
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3e3b5dfcd16a3e254aab61bd1e8c417dd4503102
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aedddb4e45b34426cfbfa84454b6f203712733c5

Comment 2 Rohit Keshri 2022-01-07 10:50:04 UTC
There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.

Comment 9 juneau 2022-01-07 12:51:58 UTC
Managed Services not affected.


Note You need to log in before you can comment on or make changes to this bug.