CVE-2021-47082

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47082
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47082.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47082
Related
Published
2024-03-04T18:15:07Z
Modified
2025-01-14T17:46:40.776907Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

tun: avoid double free in tunfreenetdev

Avoid double free in tunfreenetdev() by moving the dev->tstats and tun->security allocs to a new ndoinit routine (tunnetinit()) that will be called by registernetdevice(). ndoinit is paired with the desctructor (tunfreenetdev()), so if there's an error in registernetdevice() the destructor will handle the frees.

BUG: KASAN: double-free or invalid-free in selinuxtundevfreesecurity+0x1a/0x20 security/selinux/hooks.c:5605

CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: <TASK> dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x89/0xb5 lib/dumpstack.c:106 printaddressdescription.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasanreportinvalidfree+0x55/0x80 mm/kasan/report.c:372 kasanslabfree mm/kasan/common.c:346 [inline] _kasanslabfree+0x107/0x120 mm/kasan/common.c:374 kasanslabfree include/linux/kasan.h:235 [inline] slabfreehook mm/slub.c:1723 [inline] slabfreefreelisthook mm/slub.c:1749 [inline] slabfree mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinuxtundevfreesecurity+0x1a/0x20 security/selinux/hooks.c:5605 securitytundevfreesecurity+0x4f/0x90 security/security.c:2342 tunfreenetdev+0xe6/0x150 drivers/net/tun.c:2215 netdevruntodo+0x4df/0x840 net/core/dev.c:10627 rtnlunlock+0x13/0x20 net/core/rtnetlink.c:112 _tunchrioctl+0x80c/0x2870 drivers/net/tun.c:3302 tunchrioctl+0x2f/0x40 drivers/net/tun.c:3311 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:874 [inline] _sesysioctl fs/ioctl.c:860 [inline] _x64sysioctl+0x19d/0x220 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3a/0x80 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.136-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}