Bug 2031930 (CVE-2021-0920) - CVE-2021-0920 kernel: Use After Free in unix_gc() which could result in a local privilege escalation
Summary: CVE-2021-0920 kernel: Use After Free in unix_gc() which could result in a loc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-0920
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2031966 2031967 2031968 2031969 2031970 2031971 2031972 2031973 2031974 2031975 2031976 2031977 2031978 2031979 2031980 2031981 2031982 2031983 2031984 2031985 2031986 2031987 2031988 2031989 2031990 2031991 2031992 2032818 2032819 2047640
Blocks: 2030656
TreeView+ depends on / blocked
 
Reported: 2021-12-13 18:03 UTC by Michael Kaplan
Modified: 2022-05-11 13:15 UTC (History)
58 users (show)

Fixed In Version: kernel 5.14 rc4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in unix_dgram_recvmsg in net/unix/af_unix.c in the Linux kernel's garbage collection for Unix domain socket file handlers. In this flaw, a missing cleanup may lead to a use-after-free due to a race problem. This flaw allows a local user to crash the system or escalate their privileges on the system. A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2022-05-11 13:15:31 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0679 0 None None None 2022-02-24 20:40:51 UTC
Red Hat Product Errata RHBA-2022:0690 0 None None None 2022-02-28 14:16:39 UTC
Red Hat Product Errata RHBA-2022:0740 0 None None None 2022-03-03 15:58:11 UTC
Red Hat Product Errata RHBA-2022:1044 0 None None None 2022-03-24 07:23:43 UTC
Red Hat Product Errata RHSA-2022:0590 0 None None None 2022-02-22 09:00:55 UTC
Red Hat Product Errata RHSA-2022:0592 0 None None None 2022-02-22 09:12:20 UTC
Red Hat Product Errata RHSA-2022:0620 0 None None None 2022-02-22 16:58:08 UTC
Red Hat Product Errata RHSA-2022:0622 0 None None None 2022-02-22 17:00:54 UTC
Red Hat Product Errata RHSA-2022:0629 0 None None None 2022-02-22 15:15:39 UTC
Red Hat Product Errata RHSA-2022:0636 0 None None None 2022-02-22 15:54:44 UTC
Red Hat Product Errata RHSA-2022:0771 0 None None None 2022-03-08 15:03:01 UTC
Red Hat Product Errata RHSA-2022:0772 0 None None None 2022-03-08 15:54:19 UTC
Red Hat Product Errata RHSA-2022:0777 0 None None None 2022-03-08 17:51:18 UTC
Red Hat Product Errata RHSA-2022:0819 0 None None None 2022-03-10 15:04:11 UTC
Red Hat Product Errata RHSA-2022:0823 0 None None None 2022-03-10 15:31:46 UTC
Red Hat Product Errata RHSA-2022:0825 0 None None None 2022-03-10 16:15:25 UTC
Red Hat Product Errata RHSA-2022:0841 0 None None None 2022-03-14 09:22:53 UTC
Red Hat Product Errata RHSA-2022:0849 0 None None None 2022-03-14 10:48:28 UTC
Red Hat Product Errata RHSA-2022:0851 0 None None None 2022-03-14 10:19:24 UTC
Red Hat Product Errata RHSA-2022:0958 0 None None None 2022-03-17 16:28:07 UTC
Red Hat Product Errata RHSA-2022:1103 0 None None None 2022-03-29 09:07:18 UTC
Red Hat Product Errata RHSA-2022:1104 0 None None None 2022-03-29 08:50:51 UTC
Red Hat Product Errata RHSA-2022:1106 0 None None None 2022-03-29 08:42:26 UTC
Red Hat Product Errata RHSA-2022:1107 0 None None None 2022-03-29 09:54:45 UTC
Red Hat Product Errata RHSA-2022:1263 0 None None None 2022-04-07 09:03:11 UTC
Red Hat Product Errata RHSA-2022:1324 0 None None None 2022-04-12 15:37:23 UTC
Red Hat Product Errata RHSA-2022:1373 0 None None None 2022-04-13 19:58:44 UTC
Red Hat Product Errata RHSA-2022:1417 0 None None None 2022-04-19 16:11:36 UTC

Description Michael Kaplan 2021-12-13 18:03:02 UTC 
A flaw was found in the linux kernel, unix_gc() assumes that candidate sockets can never gain an external reference (i.e.  be installed into an fd) while the unix_gc_lock is held.  Except for MSG_PEEK this is guaranteed by modifying inflight count under the unix_gc_lock.

References:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cbcf01128d0a92e131bd09f1688fe032480b65ca
Comment 9 Sandro Bonazzola 2022-01-25 10:20:39 UTC 
Isn't this affecting Fedora too?
Comment 10 Sandro Bonazzola 2022-01-28 08:01:19 UTC 
Created oVirt tracking bug for this issue:

Affects: oVirt Node 4.4 [ bug 2047640 ]
Comment 11 errata-xmlrpc 2022-02-22 09:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0590 https://access.redhat.com/errata/RHSA-2022:0590
Comment 12 errata-xmlrpc 2022-02-22 09:12:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0592 https://access.redhat.com/errata/RHSA-2022:0592
Comment 13 errata-xmlrpc 2022-02-22 15:15:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0629 https://access.redhat.com/errata/RHSA-2022:0629
Comment 14 errata-xmlrpc 2022-02-22 15:54:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0636 https://access.redhat.com/errata/RHSA-2022:0636
Comment 15 errata-xmlrpc 2022-02-22 16:58:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0620 https://access.redhat.com/errata/RHSA-2022:0620
Comment 16 errata-xmlrpc 2022-02-22 17:00:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0622 https://access.redhat.com/errata/RHSA-2022:0622
Comment 17 errata-xmlrpc 2022-03-08 15:02:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0771 https://access.redhat.com/errata/RHSA-2022:0771
Comment 18 errata-xmlrpc 2022-03-08 15:54:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0772 https://access.redhat.com/errata/RHSA-2022:0772
Comment 19 errata-xmlrpc 2022-03-08 17:51:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0777 https://access.redhat.com/errata/RHSA-2022:0777
Comment 20 errata-xmlrpc 2022-03-10 15:04:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0819 https://access.redhat.com/errata/RHSA-2022:0819
Comment 21 errata-xmlrpc 2022-03-10 15:31:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0823 https://access.redhat.com/errata/RHSA-2022:0823
Comment 22 errata-xmlrpc 2022-03-10 16:15:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0825 https://access.redhat.com/errata/RHSA-2022:0825
Comment 23 errata-xmlrpc 2022-03-14 09:22:48 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:0841 https://access.redhat.com/errata/RHSA-2022:0841
Comment 24 errata-xmlrpc 2022-03-14 10:19:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0851 https://access.redhat.com/errata/RHSA-2022:0851
Comment 25 errata-xmlrpc 2022-03-14 10:48:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0849 https://access.redhat.com/errata/RHSA-2022:0849
Comment 26 errata-xmlrpc 2022-03-17 16:28:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0958 https://access.redhat.com/errata/RHSA-2022:0958
Comment 27 errata-xmlrpc 2022-03-29 08:42:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:1106 https://access.redhat.com/errata/RHSA-2022:1106
Comment 28 errata-xmlrpc 2022-03-29 08:50:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:1104 https://access.redhat.com/errata/RHSA-2022:1104
Comment 29 errata-xmlrpc 2022-03-29 09:07:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:1103 https://access.redhat.com/errata/RHSA-2022:1103
Comment 30 errata-xmlrpc 2022-03-29 09:54:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:1107 https://access.redhat.com/errata/RHSA-2022:1107
Comment 32 errata-xmlrpc 2022-04-07 09:03:06 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263
Comment 33 errata-xmlrpc 2022-04-12 15:37:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:1324 https://access.redhat.com/errata/RHSA-2022:1324
Comment 34 errata-xmlrpc 2022-04-13 19:58:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2022:1373 https://access.redhat.com/errata/RHSA-2022:1373
Comment 35 errata-xmlrpc 2022-04-19 16:11:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:1417 https://access.redhat.com/errata/RHSA-2022:1417
Comment 38 Product Security DevOps Team 2022-05-11 13:15:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-0920
Note You need to log in before you can comment on or make changes to this bug.