2036682 – (CVE-2021-4202) CVE-2021-4202 kernel: Race condition in nci_request() leads to use after free while the device is getting removed

Bug 2036682 (CVE-2021-4202) - CVE-2021-4202 kernel: Race condition in nci_request() leads to use after free while the device is getting removed

Summary: CVE-2021-4202 kernel: Race condition in nci_request() leads to use after free...

Keywords:
Status:	NEW
Alias:	CVE-2021-4202
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2038123
Blocks:	2036683 2038882
TreeView+	depends on / blocked

Reported:	2022-01-03 15:05 UTC by Pedro Sampaio
Modified:	2023-09-19 14:13 UTC (History)
CC List:	43 users (show)
Fixed In Version:	kernel 5.16 rc2
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2022-01-03 15:05:54 UTC

A flaw was found in the Linux kernel. Similar to the CVE-2021-35373, the nci_request() function in NFC NCI code also suffers from a data race. This race will allow __nci_request() to be awaken while the device is getting removed and cause UAF. The attacker can spray the released object to gain powerful primitive.

Upstream commit:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=86cdf8e38792545161dbe3350a7eced558ba4d15
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=48b71a9e66c2eab60564b1b1c85f4928ed04e406
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3e3b5dfcd16a3e254aab61bd1e8c417dd4503102
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aedddb4e45b34426cfbfa84454b6f203712733c5

Comment 2 Rohit Keshri 2022-01-07 10:50:04 UTC

There was no shipped kernel version that was seen affected by this problem. These files are not built in our source code.

Comment 9 juneau 2022-01-07 12:51:58 UTC

Managed Services not affected.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
airlied
alciregi
bdettelb
bhu
chwhite
crwood
dvlasenk
hdegoede
hkrzesin
jarod
jarodwilson
jburrell
jeremy
jfaracco
jforbes
jglisse
jlelli
jonathan
josef
jshortt
jstancek
jwboyer
kcarcia
kernel-maint
kernel-mgr
lgoncalv
linville
lzampier
masami256
mchehab
mleitner
nmurray
ptalbert
qzhao
rkeshri
rvrbovsk
scweaver
steved
vkumar
walters
williams