CVE-2021-47638
26.02.2025, 06:37
In the Linux kernel, the following vulnerability has been resolved:
ubifs: rename_whiteout: Fix double free for whiteout_ui->data
'whiteout_ui->data' will be freed twice if space budget fail for
rename whiteout operation as following process:
rename_whiteout
dev = kmalloc
whiteout_ui->data = dev
kfree(whiteout_ui->data) // Free first time
iput(whiteout)
ubifs_free_inode
kfree(ui->data) // Double free!
KASAN reports:
==================================================================
BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70
Call Trace:
kfree+0x117/0x490
ubifs_free_inode+0x4f/0x70 [ubifs]
i_callback+0x30/0x60
rcu_do_batch+0x366/0xac0
__do_softirq+0x133/0x57f
Allocated by task 1506:
kmem_cache_alloc_trace+0x3c2/0x7a0
do_rename+0x9b7/0x1150 [ubifs]
ubifs_rename+0x106/0x1f0 [ubifs]
do_syscall_64+0x35/0x80
Freed by task 1506:
kfree+0x117/0x490
do_rename.cold+0x53/0x8a [ubifs]
ubifs_rename+0x106/0x1f0 [ubifs]
do_syscall_64+0x35/0x80
The buggy address belongs to the object at ffff88810238bed8 which
belongs to the cache kmalloc-8 of size 8
==================================================================
Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused
assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode()
-> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it
(because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release',
and the nlink of whiteout inode is 0).Enginsight| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 4.9 ≤ 𝑥 < 4.14.276 |
| linux | linux_kernel | 4.15 ≤ 𝑥 < 4.19.238 |
| linux | linux_kernel | 4.20 ≤ 𝑥 < 5.4.189 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.110 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.33 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 5.16.19 |
| linux | linux_kernel | 5.17 ≤ 𝑥 < 5.17.2 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References