epoll: Does anyone know about CVE-2021-39634

From: wanghai (M)
Date: Thu Mar 10 2022 - 10:17:34 EST

Next message: patchwork-bot+netdevbpf: "Re: [PATCH] bpf: test_run: use kvfree() for memory allocated with kvmalloc()"
Previous message: Dave Hansen: "Re: [RFC PATCH v0 0/6] x86/AMD: Userspace address tagging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've spent a long time and can't figure out the details of the following CVE, can anyone help me?

CVE-2021-39634 [1]
In fs/eventpoll.c, there is a possible use after free.

I have two questions:
1. How does the UAF problem happen?
2. Why it can be fixed by commit f8d4f44df056 ("epoll: do not insert into poll queues until all sanity checks are done") [2]

I'm guessing that patch [3] solved a problem similar to [4], is this correct?

Any feedback would be appreciated, thanks.

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39634
[2] https://www.linuxkernelcves.com/cves/CVE-2021-39634
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f8d4f44df056c5b504b0d49683fb7279218fd207
[4] https://cloudfuzz.github.io/android-kernel-exploitation/chapters/root-cause-analysis.html

--
Wang Hai

Next message: patchwork-bot+netdevbpf: "Re: [PATCH] bpf: test_run: use kvfree() for memory allocated with kvmalloc()"
Previous message: Dave Hansen: "Re: [RFC PATCH v0 0/6] x86/AMD: Userspace address tagging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]