CVE-2021-47375

MEDIUM

Published 2024-05-21T15:03:39.090Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-47375. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

6.2

/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2023.03.01

0.000

probability

of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-01-25

Exploit Probability

Percentile: 0.152

Higher than 15.2% of all CVEs

Attack Vector Metrics

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Description

In the Linux kernel, the following vulnerability has been resolved:

blktrace: Fix uaf in blk_trace access after removing by sysfs

There is an use-after-free problem triggered by following process:

P1(sda) P2(sdb)
echo 0 > /sys/block/sdb/trace/enable
blk_trace_remove_queue
synchronize_rcu
blk_trace_free
relay_close
rcu_read_lock
__blk_add_trace
trace_note_tsk
(Iterate running_trace_list)
relay_close_buf
relay_destroy_buf
kfree(buf)
trace_note(sdb's bt)
relay_reserve
buf->offset <- nullptr deference (use-after-free) !!!
rcu_read_unlock

[ 502.714379] BUG: kernel NULL pointer dereference, address:
0000000000000010
[ 502.715260] #PF: supervisor read access in kernel mode
[ 502.715903] #PF: error_code(0x0000) - not-present page
[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
[ 502.717252] Oops: 0000 [#1] SMP
[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
[ 502.732872] Call Trace:
[ 502.733193] __blk_add_trace.cold+0x137/0x1a3
[ 502.733734] blk_add_trace_rq+0x7b/0xd0
[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0
[ 502.734755] blk_mq_start_request+0xde/0x1b0
[ 502.735287] scsi_queue_rq+0x528/0x1140
...
[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0
[ 502.747501] sg_ioctl+0x466/0x1100

Reproduce method:
ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
ioctl(/dev/sda, BLKTRACESTART)
ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
ioctl(/dev/sdb, BLKTRACESTART)

echo 0 > /sys/block/sdb/trace/enable &
// Add delay(mdelay/msleep) before kernel enters blk_trace_free()

ioctl$SG_IO(/dev/sda, SG_IO, ...)
// Enters trace_note_tsk() after blk_trace_free() returned
// Use mdelay in rcu region rather than msleep(which may schedule out)

Remove blk_trace from running_list before calling blk_trace_free() by
sysfs if blk_trace is at Blktrace_running state.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Linux

Affected Versions:

c71a896154119f4ca9e89d6078f5f63ad60ef199 c71a896154119f4ca9e89d6078f5f63ad60ef199 c71a896154119f4ca9e89d6078f5f63ad60ef199 c71a896154119f4ca9e89d6078f5f63ad60ef199 c71a896154119f4ca9e89d6078f5f63ad60ef199 c71a896154119f4ca9e89d6078f5f63ad60ef199 c71a896154119f4ca9e89d6078f5f63ad60ef199 c71a896154119f4ca9e89d6078f5f63ad60ef199

Linux

Affected Versions:

2.6.30 0 4.4.286 4.9.285 4.14.249 4.19.209 5.4.150 5.10.70 5.14.9 5.15

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-x6vg-gvf6-hmp9

Advisory Details

In the Linux kernel, the following vulnerability has been resolved: blktrace: Fix uaf in blk_trace access after removing by sysfs There is an use-after-free problem triggered by following process: P1(sda) P2(sdb) echo 0 > /sys/block/sdb/trace/enable blk_trace_remove_queue synchronize_rcu blk_trace_free relay_close rcu_read_lock __blk_add_trace trace_note_tsk (Iterate running_trace_list) relay_close_buf relay_destroy_buf kfree(buf) trace_note(sdb's bt) relay_reserve buf->offset <- nullptr deference (use-after-free) !!! rcu_read_unlock [ 502.714379] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 502.715260] #PF: supervisor read access in kernel mode [ 502.715903] #PF: error_code(0x0000) - not-present page [ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Oops: 0000 [#1] SMP [ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 [ 502.732872] Call Trace: [ 502.733193] __blk_add_trace.cold+0x137/0x1a3 [ 502.733734] blk_add_trace_rq+0x7b/0xd0 [ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 [ 502.734755] blk_mq_start_request+0xde/0x1b0 [ 502.735287] scsi_queue_rq+0x528/0x1140 ... [ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 [ 502.747501] sg_ioctl+0x466/0x1100 Reproduce method: ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sdb, BLKTRACESTART) echo 0 > /sys/block/sdb/trace/enable & // Add delay(mdelay/msleep) before kernel enters blk_trace_free() ioctl$SG_IO(/dev/sda, SG_IO, ...) // Enters trace_note_tsk() after blk_trace_free() returned // Use mdelay in rcu region rather than msleep(which may schedule out) Remove blk_trace from running_list before calling blk_trace_free() by sysfs if blk_trace is at Blktrace_running state.

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-47375

WEB https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee

WEB https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5

WEB https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9

WEB https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222

WEB https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26

WEB https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40

WEB https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269

WEB https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069

Advisory provided by GitHub Security Advisory Database. Published: May 21, 2024, Modified: October 27, 2024

References

https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5

https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269

https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40

https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222

https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069

https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee

https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26

https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9

Published: 2024-05-21T15:03:39.090Z

Last Modified: 2025-05-04T07:09:38.500Z

Copied to clipboard!

CVE-2021-47375

Expert Analysis

CVSS Score

EPSS Score

Attack Vector Metrics

Impact Metrics

Description

Available Exploits

Related News

Affected Products

Linux

Affected Versions:

Linux

Affected Versions:

GitHub Security Advisories

Advisory Details

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!