In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUG_ON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning.
History

Tue, 24 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.12:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.12:rc7:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Mon, 04 Nov 2024 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-02-28T08:13:15.310Z

Updated: 2024-12-19T07:33:06.942Z

Reserved: 2024-02-27T18:42:55.948Z

Link: CVE-2021-46988

cve-icon Vulnrichment

Updated: 2024-08-04T05:24:38.475Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2024-02-28T09:15:37.640

Modified: 2024-12-24T14:25:32.130

Link: CVE-2021-46988

cve-icon Redhat

Severity : Low

Publid Date: 2024-02-28T00:00:00Z

Links: CVE-2021-46988 - Bugzilla