FKIE_CVE-2021-47303
Vulnerability from fkie_nvd - Published: 2024-05-21 15:15 - Updated: 2026-06-17 04:17
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Track subprog poke descriptors correctly and fix use-after-free
Subprograms are calling map_poke_track(), but on program release there is no
hook to call map_poke_untrack(). However, on program release, the aux memory
(and poke descriptor table) is freed even though we still have a reference to
it in the element list of the map aux data. When we run map_poke_run(), we then
end up accessing free'd memory, triggering KASAN in prog_array_map_poke_run():
[...]
[ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e
[ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337
[ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399
[ 402.824715] Call Trace:
[ 402.824719] dump_stack+0x93/0xc2
[ 402.824727] print_address_description.constprop.0+0x1a/0x140
[ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e
[ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e
[ 402.824744] kasan_report.cold+0x7c/0xd8
[ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e
[ 402.824757] prog_array_map_poke_run+0xc2/0x34e
[ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0
[...]
The elements concerned are walked as follows:
for (i = 0; i < elem->aux->size_poke_tab; i++) {
poke = &elem->aux->poke_tab[i];
[...]
The access to size_poke_tab is a 4 byte read, verified by checking offsets
in the KASAN dump:
[ 402.825004] The buggy address belongs to the object at ffff8881905a7800
which belongs to the cache kmalloc-1k of size 1024
[ 402.825008] The buggy address is located 320 bytes inside of
1024-byte region [ffff8881905a7800, ffff8881905a7c00)
The pahole output of bpf_prog_aux:
struct bpf_prog_aux {
[...]
/* --- cacheline 5 boundary (320 bytes) --- */
u32 size_poke_tab; /* 320 4 */
[...]
In general, subprograms do not necessarily manage their own data structures.
For example, BTF func_info and linfo are just pointers to the main program
structure. This allows reference counting and cleanup to be done on the latter
which simplifies their management a bit. The aux->poke_tab struct, however,
did not follow this logic. The initial proposed fix for this use-after-free
bug further embedded poke data tracking into the subprogram with proper
reference counting. However, Daniel and Alexei questioned why we were treating
these objects special; I agree, its unnecessary. The fix here removes the per
subprogram poke table allocation and map tracking and instead simply points
the aux->poke_tab pointer at the main programs poke table. This way, map
tracking is simplified to the main program and we do not need to manage them
per subprogram.
This also means, bpf_prog_free_deferred(), which unwinds the program reference
counting and kfrees objects, needs to ensure that we don't try to double free
the poke_tab when free'ing the subprog structures. This is easily solved by
NULL'ing the poke_tab pointer. The second detail is to ensure that per
subprogram JIT logic only does fixups on poke_tab[] entries it owns. To do
this, we add a pointer in the poke structure to point at the subprogram value
so JITs can easily check while walking the poke_tab structure if the current
entry belongs to the current program. The aux pointer is stable and therefore
suitable for such comparison. On the jit_subprogs() error path, we omit
cleaning up the poke->aux field because these are only ever referenced from
the JIT side, but on error we will never make it to the JIT, so its fine to
leave them dangling. Removing these pointers would complicate the error path
for no reason. However, we do need to untrack all poke descriptors from the
main program as otherwise they could race with the freeing of JIT memory from
the subprograms. Lastly, a748c6975dea3 ("bpf: propagate poke des
---truncated---
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | 5.14 |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/net/bpf_jit_comp.c",
"include/linux/bpf.h",
"kernel/bpf/core.c",
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9f36bf3613c65cb587c70fac655c775d911409b",
"status": "affected",
"version": "a748c6975dea325da540610c2ba9b5f332c603e6",
"versionType": "git"
},
{
"lessThan": "599148d40366bd5d1d504a3a8fcd65e21107e500",
"status": "affected",
"version": "a748c6975dea325da540610c2ba9b5f332c603e6",
"versionType": "git"
},
{
"lessThan": "f263a81451c12da5a342d90572e317e611846f2c",
"status": "affected",
"version": "a748c6975dea325da540610c2ba9b5f332c603e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/net/bpf_jit_comp.c",
"include/linux/bpf.h",
"kernel/bpf/core.c",
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.13.*",
"status": "unaffected",
"version": "5.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3DEFC6EF-3F05-496C-9CCD-DF3BDE77EC04",
"versionEndExcluding": "5.10.53",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "808DF8D9-4913-4CC7-B91F-B4146556B7ED",
"versionEndExcluding": "5.13.5",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*",
"matchCriteriaId": "71268287-21A8-4488-AA4F-23C473153131",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Track subprog poke descriptors correctly and fix use-after-free\n\nSubprograms are calling map_poke_track(), but on program release there is no\nhook to call map_poke_untrack(). However, on program release, the aux memory\n(and poke descriptor table) is freed even though we still have a reference to\nit in the element list of the map aux data. When we run map_poke_run(), we then\nend up accessing free\u0027d memory, triggering KASAN in prog_array_map_poke_run():\n\n [...]\n [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e\n [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337\n [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399\n [ 402.824715] Call Trace:\n [ 402.824719] dump_stack+0x93/0xc2\n [ 402.824727] print_address_description.constprop.0+0x1a/0x140\n [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824744] kasan_report.cold+0x7c/0xd8\n [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824757] prog_array_map_poke_run+0xc2/0x34e\n [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0\n [...]\n\nThe elements concerned are walked as follows:\n\n for (i = 0; i \u003c elem-\u003eaux-\u003esize_poke_tab; i++) {\n poke = \u0026elem-\u003eaux-\u003epoke_tab[i];\n [...]\n\nThe access to size_poke_tab is a 4 byte read, verified by checking offsets\nin the KASAN dump:\n\n [ 402.825004] The buggy address belongs to the object at ffff8881905a7800\n which belongs to the cache kmalloc-1k of size 1024\n [ 402.825008] The buggy address is located 320 bytes inside of\n 1024-byte region [ffff8881905a7800, ffff8881905a7c00)\n\nThe pahole output of bpf_prog_aux:\n\n struct bpf_prog_aux {\n [...]\n /* --- cacheline 5 boundary (320 bytes) --- */\n u32 size_poke_tab; /* 320 4 */\n [...]\n\nIn general, subprograms do not necessarily manage their own data structures.\nFor example, BTF func_info and linfo are just pointers to the main program\nstructure. This allows reference counting and cleanup to be done on the latter\nwhich simplifies their management a bit. The aux-\u003epoke_tab struct, however,\ndid not follow this logic. The initial proposed fix for this use-after-free\nbug further embedded poke data tracking into the subprogram with proper\nreference counting. However, Daniel and Alexei questioned why we were treating\nthese objects special; I agree, its unnecessary. The fix here removes the per\nsubprogram poke table allocation and map tracking and instead simply points\nthe aux-\u003epoke_tab pointer at the main programs poke table. This way, map\ntracking is simplified to the main program and we do not need to manage them\nper subprogram.\n\nThis also means, bpf_prog_free_deferred(), which unwinds the program reference\ncounting and kfrees objects, needs to ensure that we don\u0027t try to double free\nthe poke_tab when free\u0027ing the subprog structures. This is easily solved by\nNULL\u0027ing the poke_tab pointer. The second detail is to ensure that per\nsubprogram JIT logic only does fixups on poke_tab[] entries it owns. To do\nthis, we add a pointer in the poke structure to point at the subprogram value\nso JITs can easily check while walking the poke_tab structure if the current\nentry belongs to the current program. The aux pointer is stable and therefore\nsuitable for such comparison. On the jit_subprogs() error path, we omit\ncleaning up the poke-\u003eaux field because these are only ever referenced from\nthe JIT side, but on error we will never make it to the JIT, so its fine to\nleave them dangling. Removing these pointers would complicate the error path\nfor no reason. However, we do need to untrack all poke descriptors from the\nmain program as otherwise they could race with the freeing of JIT memory from\nthe subprograms. Lastly, a748c6975dea3 (\"bpf: propagate poke des\n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: realiza un seguimiento correcto de los descriptores de poke del subprog y corrige el use-after-free. Los subprogramas llaman a map_poke_track(), pero en el lanzamiento del programa no hay ning\u00fan enlace para llamar a map_poke_untrack(). Sin embargo, al lanzar el programa, la memoria auxiliar (y la tabla de descriptores de inserci\u00f3n) se liberan aunque todav\u00eda tengamos una referencia a ella en la lista de elementos de los datos auxiliares del mapa. Cuando ejecutamos map_poke_run(), terminamos accediendo a la memoria liberada, lo que activa KASAN en prog_array_map_poke_run(): [...] [402.824689] ERROR: KASAN: use-after-free en prog_array_map_poke_run+0xc2/0x34e [402.824698] Lectura del tama\u00f1o 4 en la direcci\u00f3n ffff8881905a7940 mediante la tarea hubble-fgs/4337 [402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Contaminado: GI 5.12.0+ #399 [402.824715] Seguimiento de llamadas: [402.824719] x93/ 0xc2 [402.824727] print_address_description.constprop.0+0x1a/0x140 [402.824736]? prog_array_map_poke_run+0xc2/0x34e [402.824740]? prog_array_map_poke_run+0xc2/0x34e [ 402.824744] kasan_report.cold+0x7c/0xd8 [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824757] prog_array_map_poke_run+0xc2/0x34e [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0 [...] Los elementos en cuesti\u00f3n se recorren de la siguiente manera: for (i = 0; i \u0026lt; elem-\u0026gt; aux-\u0026gt;tama\u00f1o_poke_tab; i++) { empujar = \u0026amp;elem-\u0026gt;aux-\u0026gt;poke_tab[i]; [...] El acceso a size_poke_tab es una lectura de 4 bytes, verificada verificando las compensaciones en el volcado de KASAN: [402.825004] La direcci\u00f3n con errores pertenece al objeto en ffff8881905a7800 que pertenece al cach\u00e9 kmalloc-1k de tama\u00f1o 1024 [402.825008] La direcci\u00f3n con errores se encuentra a 320 bytes dentro de una regi\u00f3n de 1024 bytes [ffff8881905a7800, ffff8881905a7c00) La salida de error de bpf_prog_aux: struct bpf_prog_aux { [...] /* --- l\u00edmite de cacheline 5 (320 bytes) --- */ u32 tama\u00f1o_poke_tab; /* 320 4 */ [...] En general, los subprogramas no necesariamente gestionan sus propias estructuras de datos. Por ejemplo, BTF func_info y linfo son s\u00f3lo punteros a la estructura principal del programa. Esto permite realizar un recuento de referencias y una sanitizaci\u00f3n de estos \u00faltimos, lo que simplifica un poco su gesti\u00f3n. La estructura aux-\u0026gt;poke_tab, sin embargo, no sigui\u00f3 esta l\u00f3gica. La soluci\u00f3n inicial propuesta para este error de use-after-free incorpor\u00f3 a\u00fan m\u00e1s el seguimiento de datos de inserci\u00f3n en el subprograma con un recuento de referencias adecuado. Sin embargo, Daniel y Alexei se preguntaron por qu\u00e9 trat\u00e1bamos a estos objetos de manera especial; Estoy de acuerdo, es innecesario. La soluci\u00f3n aqu\u00ed elimina la asignaci\u00f3n de la tabla de poke por subprograma y el seguimiento del mapa y, en su lugar, simplemente apunta el puntero aux-\u0026gt;poke_tab a la tabla de poke del programa principal. De esta manera, el seguimiento de mapas se simplifica al programa principal y no necesitamos gestionarlos por subprograma. Esto tambi\u00e9n significa que bpf_prog_free_deferred(), que desenrolla el recuento de referencias del programa y libera objetos, debe garantizar que no intentemos liberar dos veces el poke_tab al liberar las estructuras de subprog. Esto se resuelve f\u00e1cilmente haciendo NULL en el puntero poke_tab. El segundo detalle es garantizar que la l\u00f3gica JIT por subprograma solo realice correcciones en las entradas poke_tab[] que posee. Para hacer esto, agregamos un puntero en la estructura poke para se\u00f1alar el valor del subprograma para que los JIT puedan verificar f\u00e1cilmente mientras recorren la estructura poke_tab si la entrada actual pertenece al programa actual. El puntero auxiliar es estable y, por tanto, adecuado para dicha comparaci\u00f3n. ---truncado---"
}
],
"id": "CVE-2021-47303",
"lastModified": "2026-06-17T04:17:08.833",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2021-47303",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T18:50:53.751322Z",
"version": "2.0.3"
}
}
]
},
"published": "2024-05-21T15:15:18.037",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/599148d40366bd5d1d504a3a8fcd65e21107e500"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/a9f36bf3613c65cb587c70fac655c775d911409b"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/f263a81451c12da5a342d90572e317e611846f2c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/599148d40366bd5d1d504a3a8fcd65e21107e500"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/a9f36bf3613c65cb587c70fac655c775d911409b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/f263a81451c12da5a342d90572e317e611846f2c"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…