The mq_notify function in the GNU C Library (aka glibc) through 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=27896
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1965410]
Sorry I missed this in my Mitre CVE report: the only use-after-free indirection is through the extensions member of struct pthread_attr (see sysdeps/nptl/internaltypes.h) and it got introduced in glibc-2.32. As a result, only glibc-2.32 and glibc-2.33 are affected by this.
(In reply to Siddhesh Poyarekar from comment #2) > Sorry I missed this in my Mitre CVE report: the only use-after-free > indirection is through the extensions member of struct pthread_attr (see > sysdeps/nptl/internaltypes.h) and it got introduced in glibc-2.32. As a > result, only glibc-2.32 and glibc-2.33 are affected by this. As I've corrected myself in the upstream bug, all earlier versions are affected. Earlier versions dereference the cpuset member (which 'extensions' encapsulated in 2.32) which is dynamically allocated and hence has the same issue.
Upstream commits: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=42d359350510506b87101cf77202fefcbfc790cb https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4358 https://access.redhat.com/errata/RHSA-2021:4358
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33574