Bug 2029923 (CVE-2021-4083) - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it
Summary: CVE-2021-4083 kernel: fget: check that the fd still exists after getting a re...
Keywords:
Status: NEW
Alias: CVE-2021-4083
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2032816 2030416 2030417 2030418 2032299 2032300 2032301 2032302 2032303 2032304 2032305 2032306 2032307 2032308 2032474 2032475 2032476 2032477 2032478 2032479 2032480 2032481 2032489 2032490 2032491 2032492 2032493 2032494 2032495 2032496 2032815 2056596
Blocks: 2029320 2032781
TreeView+ depends on / blocked
 
Reported: 2021-12-07 15:07 UTC by Alex
Modified: 2022-05-19 05:11 UTC (History)
59 users (show)

Fixed In Version: kernel 5.16-rc4
Doc Type: If docs needed, set a value
Doc Text:
A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:1261 0 None None None 2022-04-06 18:40:47 UTC
Red Hat Product Errata RHBA-2022:1282 0 None None None 2022-04-08 13:26:45 UTC
Red Hat Product Errata RHBA-2022:1317 0 None None None 2022-04-12 11:21:16 UTC
Red Hat Product Errata RHBA-2022:1533 0 None None None 2022-04-25 20:01:56 UTC
Red Hat Product Errata RHBA-2022:2229 0 None None None 2022-05-12 11:26:59 UTC
Red Hat Product Errata RHBA-2022:4630 0 None None None 2022-05-18 11:46:45 UTC
Red Hat Product Errata RHBA-2022:4693 0 None None None 2022-05-19 05:11:12 UTC
Red Hat Product Errata RHSA-2022:0820 0 None None None 2022-03-10 15:54:23 UTC
Red Hat Product Errata RHSA-2022:0821 0 None None None 2022-03-10 15:13:14 UTC
Red Hat Product Errata RHSA-2022:0823 0 None None None 2022-03-10 15:31:35 UTC
Red Hat Product Errata RHSA-2022:0851 0 None None None 2022-03-14 10:19:12 UTC
Red Hat Product Errata RHSA-2022:0925 0 None None None 2022-03-15 13:36:42 UTC
Red Hat Product Errata RHSA-2022:0958 0 None None None 2022-03-17 16:28:05 UTC
Red Hat Product Errata RHSA-2022:1103 0 None None None 2022-03-29 09:07:17 UTC
Red Hat Product Errata RHSA-2022:1104 0 None None None 2022-03-29 08:50:49 UTC
Red Hat Product Errata RHSA-2022:1107 0 None None None 2022-03-29 09:54:45 UTC
Red Hat Product Errata RHSA-2022:1185 0 None None None 2022-04-05 08:47:52 UTC
Red Hat Product Errata RHSA-2022:1198 0 None None None 2022-04-05 17:16:11 UTC
Red Hat Product Errata RHSA-2022:1199 0 None None None 2022-04-05 17:16:49 UTC
Red Hat Product Errata RHSA-2022:1263 0 None None None 2022-04-07 09:03:01 UTC
Red Hat Product Errata RHSA-2022:1324 0 None None None 2022-04-12 15:37:12 UTC
Red Hat Product Errata RHSA-2022:1373 0 None None None 2022-04-13 19:58:43 UTC
Red Hat Product Errata RHSA-2022:1413 0 None None None 2022-04-19 15:05:12 UTC
Red Hat Product Errata RHSA-2022:1418 0 None None None 2022-04-19 16:19:01 UTC
Red Hat Product Errata RHSA-2022:1455 0 None None None 2022-04-20 16:20:38 UTC
Red Hat Product Errata RHSA-2022:1975 0 None None None 2022-05-10 14:40:30 UTC
Red Hat Product Errata RHSA-2022:1988 0 None None None 2022-05-10 14:46:29 UTC
Red Hat Product Errata RHSA-2022:2189 0 None None None 2022-05-11 13:21:06 UTC

Description Alex 2021-12-07 15:07:54 UTC
Another possible race with Unix domain socket garbage collection that can lead to read memory after free.
Older more or less similar issue is the CVE-2021-0920 with the fix commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
This race happens if the file handler in the process of being closed, the close() could happen before fget(), and then garbage collector can get confused by seeing this situation of having seen a file not having any remaining external references and then seeing it being attached to an fd.

Reference and upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=054aa8d439b9

Comment 13 Sandro Bonazzola 2022-02-21 14:49:13 UTC
Created oVirt tracking bug for this issue:

Affects: oVirt Node 4.4 [ #2056596 ]

Comment 14 errata-xmlrpc 2022-03-10 15:13:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0821 https://access.redhat.com/errata/RHSA-2022:0821

Comment 15 errata-xmlrpc 2022-03-10 15:31:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0823 https://access.redhat.com/errata/RHSA-2022:0823

Comment 16 errata-xmlrpc 2022-03-10 15:54:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0820 https://access.redhat.com/errata/RHSA-2022:0820

Comment 17 errata-xmlrpc 2022-03-14 10:19:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0851 https://access.redhat.com/errata/RHSA-2022:0851

Comment 18 errata-xmlrpc 2022-03-15 13:36:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0925 https://access.redhat.com/errata/RHSA-2022:0925

Comment 19 errata-xmlrpc 2022-03-17 16:28:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0958 https://access.redhat.com/errata/RHSA-2022:0958

Comment 20 errata-xmlrpc 2022-03-29 08:50:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:1104 https://access.redhat.com/errata/RHSA-2022:1104

Comment 21 errata-xmlrpc 2022-03-29 09:07:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:1103 https://access.redhat.com/errata/RHSA-2022:1103

Comment 22 errata-xmlrpc 2022-03-29 09:54:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:1107 https://access.redhat.com/errata/RHSA-2022:1107

Comment 24 errata-xmlrpc 2022-04-05 08:47:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1185 https://access.redhat.com/errata/RHSA-2022:1185

Comment 25 errata-xmlrpc 2022-04-05 17:16:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1198 https://access.redhat.com/errata/RHSA-2022:1198

Comment 26 errata-xmlrpc 2022-04-05 17:16:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1199 https://access.redhat.com/errata/RHSA-2022:1199

Comment 27 errata-xmlrpc 2022-04-07 09:02:56 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263

Comment 28 errata-xmlrpc 2022-04-12 15:37:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:1324 https://access.redhat.com/errata/RHSA-2022:1324

Comment 29 errata-xmlrpc 2022-04-13 19:58:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2022:1373 https://access.redhat.com/errata/RHSA-2022:1373

Comment 30 errata-xmlrpc 2022-04-19 15:05:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1413 https://access.redhat.com/errata/RHSA-2022:1413

Comment 31 errata-xmlrpc 2022-04-19 16:18:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1418 https://access.redhat.com/errata/RHSA-2022:1418

Comment 32 errata-xmlrpc 2022-04-20 16:20:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1455 https://access.redhat.com/errata/RHSA-2022:1455

Comment 33 errata-xmlrpc 2022-05-10 14:40:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975

Comment 34 errata-xmlrpc 2022-05-10 14:46:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988

Comment 35 errata-xmlrpc 2022-05-11 13:21:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:2189 https://access.redhat.com/errata/RHSA-2022:2189


Note You need to log in before you can comment on or make changes to this bug.