FKIE_CVE-2021-47303

Vulnerability from fkie_nvd - Published: 2024-05-21 15:15 - Updated: 2026-06-17 04:17
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Track subprog poke descriptors correctly and fix use-after-free Subprograms are calling map_poke_track(), but on program release there is no hook to call map_poke_untrack(). However, on program release, the aux memory (and poke descriptor table) is freed even though we still have a reference to it in the element list of the map aux data. When we run map_poke_run(), we then end up accessing free'd memory, triggering KASAN in prog_array_map_poke_run(): [...] [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337 [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399 [ 402.824715] Call Trace: [ 402.824719] dump_stack+0x93/0xc2 [ 402.824727] print_address_description.constprop.0+0x1a/0x140 [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824744] kasan_report.cold+0x7c/0xd8 [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824757] prog_array_map_poke_run+0xc2/0x34e [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0 [...] The elements concerned are walked as follows: for (i = 0; i < elem->aux->size_poke_tab; i++) { poke = &elem->aux->poke_tab[i]; [...] The access to size_poke_tab is a 4 byte read, verified by checking offsets in the KASAN dump: [ 402.825004] The buggy address belongs to the object at ffff8881905a7800 which belongs to the cache kmalloc-1k of size 1024 [ 402.825008] The buggy address is located 320 bytes inside of 1024-byte region [ffff8881905a7800, ffff8881905a7c00) The pahole output of bpf_prog_aux: struct bpf_prog_aux { [...] /* --- cacheline 5 boundary (320 bytes) --- */ u32 size_poke_tab; /* 320 4 */ [...] In general, subprograms do not necessarily manage their own data structures. For example, BTF func_info and linfo are just pointers to the main program structure. This allows reference counting and cleanup to be done on the latter which simplifies their management a bit. The aux->poke_tab struct, however, did not follow this logic. The initial proposed fix for this use-after-free bug further embedded poke data tracking into the subprogram with proper reference counting. However, Daniel and Alexei questioned why we were treating these objects special; I agree, its unnecessary. The fix here removes the per subprogram poke table allocation and map tracking and instead simply points the aux->poke_tab pointer at the main programs poke table. This way, map tracking is simplified to the main program and we do not need to manage them per subprogram. This also means, bpf_prog_free_deferred(), which unwinds the program reference counting and kfrees objects, needs to ensure that we don't try to double free the poke_tab when free'ing the subprog structures. This is easily solved by NULL'ing the poke_tab pointer. The second detail is to ensure that per subprogram JIT logic only does fixups on poke_tab[] entries it owns. To do this, we add a pointer in the poke structure to point at the subprogram value so JITs can easily check while walking the poke_tab structure if the current entry belongs to the current program. The aux pointer is stable and therefore suitable for such comparison. On the jit_subprogs() error path, we omit cleaning up the poke->aux field because these are only ever referenced from the JIT side, but on error we will never make it to the JIT, so its fine to leave them dangling. Removing these pointers would complicate the error path for no reason. However, we do need to untrack all poke descriptors from the main program as otherwise they could race with the freeing of JIT memory from the subprograms. Lastly, a748c6975dea3 ("bpf: propagate poke des ---truncated---
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.14

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/net/bpf_jit_comp.c",
            "include/linux/bpf.h",
            "kernel/bpf/core.c",
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9f36bf3613c65cb587c70fac655c775d911409b",
              "status": "affected",
              "version": "a748c6975dea325da540610c2ba9b5f332c603e6",
              "versionType": "git"
            },
            {
              "lessThan": "599148d40366bd5d1d504a3a8fcd65e21107e500",
              "status": "affected",
              "version": "a748c6975dea325da540610c2ba9b5f332c603e6",
              "versionType": "git"
            },
            {
              "lessThan": "f263a81451c12da5a342d90572e317e611846f2c",
              "status": "affected",
              "version": "a748c6975dea325da540610c2ba9b5f332c603e6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/net/bpf_jit_comp.c",
            "include/linux/bpf.h",
            "kernel/bpf/core.c",
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.53",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.13.*",
              "status": "unaffected",
              "version": "5.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3DEFC6EF-3F05-496C-9CCD-DF3BDE77EC04",
              "versionEndExcluding": "5.10.53",
              "versionStartIncluding": "5.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "808DF8D9-4913-4CC7-B91F-B4146556B7ED",
              "versionEndExcluding": "5.13.5",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "71268287-21A8-4488-AA4F-23C473153131",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Track subprog poke descriptors correctly and fix use-after-free\n\nSubprograms are calling map_poke_track(), but on program release there is no\nhook to call map_poke_untrack(). However, on program release, the aux memory\n(and poke descriptor table) is freed even though we still have a reference to\nit in the element list of the map aux data. When we run map_poke_run(), we then\nend up accessing free\u0027d memory, triggering KASAN in prog_array_map_poke_run():\n\n  [...]\n  [  402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e\n  [  402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337\n  [  402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G          I       5.12.0+ #399\n  [  402.824715] Call Trace:\n  [  402.824719]  dump_stack+0x93/0xc2\n  [  402.824727]  print_address_description.constprop.0+0x1a/0x140\n  [  402.824736]  ? prog_array_map_poke_run+0xc2/0x34e\n  [  402.824740]  ? prog_array_map_poke_run+0xc2/0x34e\n  [  402.824744]  kasan_report.cold+0x7c/0xd8\n  [  402.824752]  ? prog_array_map_poke_run+0xc2/0x34e\n  [  402.824757]  prog_array_map_poke_run+0xc2/0x34e\n  [  402.824765]  bpf_fd_array_map_update_elem+0x124/0x1a0\n  [...]\n\nThe elements concerned are walked as follows:\n\n    for (i = 0; i \u003c elem-\u003eaux-\u003esize_poke_tab; i++) {\n           poke = \u0026elem-\u003eaux-\u003epoke_tab[i];\n    [...]\n\nThe access to size_poke_tab is a 4 byte read, verified by checking offsets\nin the KASAN dump:\n\n  [  402.825004] The buggy address belongs to the object at ffff8881905a7800\n                 which belongs to the cache kmalloc-1k of size 1024\n  [  402.825008] The buggy address is located 320 bytes inside of\n                 1024-byte region [ffff8881905a7800, ffff8881905a7c00)\n\nThe pahole output of bpf_prog_aux:\n\n  struct bpf_prog_aux {\n    [...]\n    /* --- cacheline 5 boundary (320 bytes) --- */\n    u32                        size_poke_tab;        /*   320     4 */\n    [...]\n\nIn general, subprograms do not necessarily manage their own data structures.\nFor example, BTF func_info and linfo are just pointers to the main program\nstructure. This allows reference counting and cleanup to be done on the latter\nwhich simplifies their management a bit. The aux-\u003epoke_tab struct, however,\ndid not follow this logic. The initial proposed fix for this use-after-free\nbug further embedded poke data tracking into the subprogram with proper\nreference counting. However, Daniel and Alexei questioned why we were treating\nthese objects special; I agree, its unnecessary. The fix here removes the per\nsubprogram poke table allocation and map tracking and instead simply points\nthe aux-\u003epoke_tab pointer at the main programs poke table. This way, map\ntracking is simplified to the main program and we do not need to manage them\nper subprogram.\n\nThis also means, bpf_prog_free_deferred(), which unwinds the program reference\ncounting and kfrees objects, needs to ensure that we don\u0027t try to double free\nthe poke_tab when free\u0027ing the subprog structures. This is easily solved by\nNULL\u0027ing the poke_tab pointer. The second detail is to ensure that per\nsubprogram JIT logic only does fixups on poke_tab[] entries it owns. To do\nthis, we add a pointer in the poke structure to point at the subprogram value\nso JITs can easily check while walking the poke_tab structure if the current\nentry belongs to the current program. The aux pointer is stable and therefore\nsuitable for such comparison. On the jit_subprogs() error path, we omit\ncleaning up the poke-\u003eaux field because these are only ever referenced from\nthe JIT side, but on error we will never make it to the JIT, so its fine to\nleave them dangling. Removing these pointers would complicate the error path\nfor no reason. However, we do need to untrack all poke descriptors from the\nmain program as otherwise they could race with the freeing of JIT memory from\nthe subprograms. Lastly, a748c6975dea3 (\"bpf: propagate poke des\n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: realiza un seguimiento correcto de los descriptores de poke del subprog y corrige el use-after-free. Los subprogramas llaman a map_poke_track(), pero en el lanzamiento del programa no hay ning\u00fan enlace para llamar a map_poke_untrack(). Sin embargo, al lanzar el programa, la memoria auxiliar (y la tabla de descriptores de inserci\u00f3n) se liberan aunque todav\u00eda tengamos una referencia a ella en la lista de elementos de los datos auxiliares del mapa. Cuando ejecutamos map_poke_run(), terminamos accediendo a la memoria liberada, lo que activa KASAN en prog_array_map_poke_run(): [...] [402.824689] ERROR: KASAN: use-after-free en prog_array_map_poke_run+0xc2/0x34e [402.824698] Lectura del tama\u00f1o 4 en la direcci\u00f3n ffff8881905a7940 mediante la tarea hubble-fgs/4337 [402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Contaminado: GI 5.12.0+ #399 [402.824715] Seguimiento de llamadas: [402.824719] x93/ 0xc2 [402.824727] print_address_description.constprop.0+0x1a/0x140 [402.824736]? prog_array_map_poke_run+0xc2/0x34e [402.824740]? prog_array_map_poke_run+0xc2/0x34e [ 402.824744] kasan_report.cold+0x7c/0xd8 [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824757] prog_array_map_poke_run+0xc2/0x34e [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0 [...] Los elementos en cuesti\u00f3n se recorren de la siguiente manera: for (i = 0; i \u0026lt; elem-\u0026gt; aux-\u0026gt;tama\u00f1o_poke_tab; i++) { empujar = \u0026amp;elem-\u0026gt;aux-\u0026gt;poke_tab[i]; [...] El acceso a size_poke_tab es una lectura de 4 bytes, verificada verificando las compensaciones en el volcado de KASAN: [402.825004] La direcci\u00f3n con errores pertenece al objeto en ffff8881905a7800 que pertenece al cach\u00e9 kmalloc-1k de tama\u00f1o 1024 [402.825008] La direcci\u00f3n con errores se encuentra a 320 bytes dentro de una regi\u00f3n de 1024 bytes [ffff8881905a7800, ffff8881905a7c00) La salida de error de bpf_prog_aux: struct bpf_prog_aux { [...] /* --- l\u00edmite de cacheline 5 (320 bytes) --- */ u32 tama\u00f1o_poke_tab; /* 320 4 */ [...] En general, los subprogramas no necesariamente gestionan sus propias estructuras de datos. Por ejemplo, BTF func_info y linfo son s\u00f3lo punteros a la estructura principal del programa. Esto permite realizar un recuento de referencias y una sanitizaci\u00f3n de estos \u00faltimos, lo que simplifica un poco su gesti\u00f3n. La estructura aux-\u0026gt;poke_tab, sin embargo, no sigui\u00f3 esta l\u00f3gica. La soluci\u00f3n inicial propuesta para este error de use-after-free incorpor\u00f3 a\u00fan m\u00e1s el seguimiento de datos de inserci\u00f3n en el subprograma con un recuento de referencias adecuado. Sin embargo, Daniel y Alexei se preguntaron por qu\u00e9 trat\u00e1bamos a estos objetos de manera especial; Estoy de acuerdo, es innecesario. La soluci\u00f3n aqu\u00ed elimina la asignaci\u00f3n de la tabla de poke por subprograma y el seguimiento del mapa y, en su lugar, simplemente apunta el puntero aux-\u0026gt;poke_tab a la tabla de poke del programa principal. De esta manera, el seguimiento de mapas se simplifica al programa principal y no necesitamos gestionarlos por subprograma. Esto tambi\u00e9n significa que bpf_prog_free_deferred(), que desenrolla el recuento de referencias del programa y libera objetos, debe garantizar que no intentemos liberar dos veces el poke_tab al liberar las estructuras de subprog. Esto se resuelve f\u00e1cilmente haciendo NULL en el puntero poke_tab. El segundo detalle es garantizar que la l\u00f3gica JIT por subprograma solo realice correcciones en las entradas poke_tab[] que posee. Para hacer esto, agregamos un puntero en la estructura poke para se\u00f1alar el valor del subprograma para que los JIT puedan verificar f\u00e1cilmente mientras recorren la estructura poke_tab si la entrada actual pertenece al programa actual. El puntero auxiliar es estable y, por tanto, adecuado para dicha comparaci\u00f3n. ---truncado---"
    }
  ],
  "id": "CVE-2021-47303",
  "lastModified": "2026-06-17T04:17:08.833",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2021-47303",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-05-29T18:50:53.751322Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2024-05-21T15:15:18.037",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/599148d40366bd5d1d504a3a8fcd65e21107e500"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a9f36bf3613c65cb587c70fac655c775d911409b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f263a81451c12da5a342d90572e317e611846f2c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/599148d40366bd5d1d504a3a8fcd65e21107e500"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a9f36bf3613c65cb587c70fac655c775d911409b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f263a81451c12da5a342d90572e317e611846f2c"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…