Bug 1970536 (CVE-2021-28691) - CVE-2021-28691 xen: guest triggered use-after-free in Linux xen-netback (XSA-374)
Summary: CVE-2021-28691 xen: guest triggered use-after-free in Linux xen-netback (XSA-...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2021-28691
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1970537 1971599
Blocks: 1970612
TreeView+ depends on / blocked
 
Reported: 2021-06-10 16:29 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-07-20 10:51 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-10 21:04:03 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-06-10 16:29:31 UTC 
A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.

Reference:
https://xenbits.xen.org/xsa/advisory-374.html
Comment 1 Guilherme de Almeida Suckevicz 2021-06-10 16:30:02 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1970537]
Comment 2 Product Security DevOps Team 2021-06-10 21:04:03 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Petr Matousek 2021-06-14 12:21:10 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1971599]
Comment 4 Justin M. Forbes 2021-06-15 15:33:02 UTC 
This was fixed for Fedora with the 5.12.10 stable kernel updates.
Note You need to log in before you can comment on or make changes to this bug.