阿里云漏洞库

漏洞描述

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.

ffs_data_clear is indirectly called from both ffs_fs_kill_sb and

ffs_ep0_release, so it ends up being called twice when userland closes ep0

and then unmounts f_fs.

If userland provided an eventfd along with function's USB descriptors, it

ends up calling eventfd_ctx_put as many times, causing a refcount

underflow.

NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.

Also, set epfiles to NULL right after de-allocating it, for readability.

For completeness, ffs_data_clear actually ends up being called thrice, the

last call being before the whole ffs structure gets freed, so when this

specific sequence happens there is a second underflow happening (but not

being reported):

/sys/kernel/debug/tracing# modprobe usb_f_fs

/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter

/sys/kernel/debug/tracing# echo function > current_tracer

/sys/kernel/debug/tracing# echo 1 > tracing_on

(setup gadget, run and kill function userland process, teardown gadget)

/sys/kernel/debug/tracing# echo 0 > tracing_on

/sys/kernel/debug/tracing# cat trace

smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed

smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed

smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put

Warning output corresponding to above trace:

[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c

[ 1946.293094] refcount_t: underflow; use-after-free.

[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)

[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1

[ 1946.417950] Hardware name: BCM2835

[ 1946.425442] Backtrace:

[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)

[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c

[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)

[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)

[ 1946.482067] r5:c04a948c r4:c0a71dc8

[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)

[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04

[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)

[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0

[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)

[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])

[ 1946.582664] r5:c3b84c00 r4:c2695b00

[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])

[ 1946.609608] r5:bf54d014 r4:c2695b00

[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])

[ 1946.636217] r7:c0dfcb

---truncated---

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645
https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee
https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b
https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09
https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154
https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919
https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684
https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	debian_10	linux	*		Up to (excluding) 4.19.232-1
	运行在以下环境
	系统	debian_11	linux	*		Up to (excluding) 5.10.92-1
	运行在以下环境
	系统	debian_12	linux	*		Up to (excluding) 5.15.15-1
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 4.0.0	Up to (excluding) 4.4.298
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 4.10.0	Up to (excluding) 4.14.261
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 4.15.0	Up to (excluding) 4.19.224
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 4.20.0	Up to (excluding) 5.4.170
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 4.5.0	Up to (excluding) 4.9.296
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 5.11.0	Up to (excluding) 5.15.13
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 5.5.0	Up to (excluding) 5.10.90

攻击路径

本地
攻击复杂度

困难
权限要求

管控权限
影响范围

有限影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-416	释放后使用

中危 USB：小工具：f_fs：清除ffs_data_clear中的ffs_eventfd。 (CVE-2021-46933)

漏洞描述

解决建议

参考链接

受影响软件情况