CVE-2021-47634
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain
Security Summary
CVE-2021-47634 is a use-after-free vulnerability in the Linux kernel's UBI (Unsorted Block Images) subsystem, stemming from a race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl operations. The issue arises because ctrl_cdev_ioctl holds the ubi_devices_mutex while ubi_cdev_ioctl holds the per-device ubi->device_mutex, allowing concurrent execution. This leads to scenarios such as double frees during volume creation, attachment, or removal, as reported by a KASAN use-after-free detection in functions like __list_del_entry_valid during device_del and cdev_device_del. Hulk Robot identified the problem, which affects UBI device handling for MTD (Memory Technology Device) attachments and volume management.
A local attacker with low privileges (PR:L) can exploit this vulnerability by triggering concurrent ioctls on UBI control and volume character devices across multiple threads or CPUs. For instance, one thread performing ubi_attach_mtd_dev (via ctrl_cdev_ioctl) can race with ubi_cdev_ioctl operations like ubi_create_volume or ubi_remove_volume, resulting in use-after-free or double-free conditions during cdev_device_add/del. Successful exploitation yields high-impact confidentiality, integrity, and availability effects (CVSS 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially enabling kernel memory corruption, arbitrary code execution, or system crashes.
Patches for CVE-2021-47634, available in Linux kernel stable repositories, address the root cause by rolling back commit 714fb87e8bc0, which prematurely made devices available before sysfs accessibility, and by removing ubi_get_device calls from vol_attribute_show and dev_attribute_show. These changes prevent races with udev during device creation/deletion, relying instead on kernfs to ensure devices are not deleted until all references are released (e.g., via kernfs_drain in device_del). Security practitioners should apply the fixes from commits such as 1a3f1cf87054, 3cbf0e392f17, 432b057f8e84, 5f9e9c223e48, and a8ecee49259f to vulnerable kernels.
Details
- CWE(s)