CVE-2021-47200

In the Linux kernel, the following vulnerability has been resolved: drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap drm_gem_ttm_mmap() drops a reference to the gem object on success. If the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that drop will free the gem object, and the subsequent drm_gem_object_get() will be a UAF. Fix by grabbing a reference before calling the mmap helper. This issue was forseen when the reference dropping was adding in commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): "For that to work properly the drm_gem_object_get() call in drm_gem_ttm_mmap() must be moved so it happens before calling obj->funcs->mmap(), otherwise the gem refcount would go down to zero."

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0	Patch
https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f	Patch
https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0	Patch
https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

07 Jan 2025, 17:12

Type	Values Removed	Values Added
CWE		CWE-416
First Time		Linux linux Kernel Linux
CPE		cpe:2.3:o:linux:linux_kernel::::::::
References	~~() https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0 -~~	() https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0 - Patch
References	~~() https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f -~~	() https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

Information

Published : 2024-04-10 19:15

Updated : 2025-01-07 17:12

NVD link : CVE-2021-47200

Mitre link : CVE-2021-47200

CVE.ORG link : CVE-2021-47200

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2021-47200", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-04-10T19:15:48.077", "references": [{"url": "https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/prime: Fix use after free in mmap with drm_gem_ttm_mmap\n\ndrm_gem_ttm_mmap() drops a reference to the gem object on success. If\nthe gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that\ndrop will free the gem object, and the subsequent drm_gem_object_get()\nwill be a UAF. Fix by grabbing a reference before calling the mmap\nhelper.\n\nThis issue was forseen when the reference dropping was adding in\ncommit 9786b65bc61ac (\"drm/ttm: fix mmap refcounting\"):\n \"For that to work properly the drm_gem_object_get() call in\n drm_gem_ttm_mmap() must be moved so it happens before calling\n obj->funcs->mmap(), otherwise the gem refcount would go down\n to zero.\""}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/prime: Arreglar el use-after-free en mmap con drm_gem_ttm_mmap drm_gem_ttm_mmap() elimina una referencia al objeto gema en caso de \u00e9xito. Si el refcount del objeto gema == 1 en la entrada a drm_gem_prime_mmap(), esa eliminaci\u00f3n liberar\u00e1 el objeto gema y el drm_gem_object_get() posterior ser\u00e1 un UAF. Se soluciona tomando una referencia antes de llamar al ayudante mmap. Este problema se previ\u00f3 cuando se agreg\u00f3 la eliminaci\u00f3n de referencia en el commit 9786b65bc61ac (\"drm/ttm: corregir el recuento de referencias mmap\"): \"Para que eso funcione correctamente, la llamada drm_gem_object_get() en drm_gem_ttm_mmap() debe moverse para que suceda antes de llamar a obj->funcs->mmap(), de lo contrario, el recuento de referencias de la gema bajar\u00eda a cero\"."}], "lastModified": "2025-01-07T17:12:06.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24C2E67E-369B-4DC4-89C9-101DE1BAA919", "versionEndExcluding": "5.15.5", "versionStartIncluding": "5.5"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}