* CVE-2021-47115: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect @ 2024-03-15 20:15 Greg Kroah-Hartman 2024-03-18 10:18 ` Robert Frohl 2024-03-18 10:33 ` REJECTED: " Lee Jones 0 siblings, 2 replies; 4+ messages in thread From: Greg Kroah-Hartman @ 2024-03-15 20:15 UTC (permalink / raw) To: linux-cve-announce; +Cc: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect It's possible to trigger NULL pointer dereference by local unprivileged user, when calling getsockname() after failed bind() (e.g. the bind fails because LLCP_SAP_MAX used as SAP): BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 Call Trace: llcp_sock_getname+0xb1/0xe0 __sys_getpeername+0x95/0xc0 ? lockdep_hardirqs_on_prepare+0xd5/0x180 ? syscall_enter_from_user_mode+0x1c/0x40 __x64_sys_getpeername+0x11/0x20 do_syscall_64+0x36/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae This can be reproduced with Syzkaller C repro (bind followed by getpeername): https://syzkaller.appspot.com/x/repro.c?x=14def446e00000 The Linux kernel CVE team has assigned CVE-2021-47115 to this issue. Affected and fixed versions =========================== Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.4.272 with commit eb6875d48590 Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.9.272 with commit 39c15bd2e5d1 Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.14.236 with commit ffff05b9ee5c Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.19.194 with commit 93e4ac2a9979 Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.4.125 with commit 5d4c4b06ed9f Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.10.43 with commit 48ee0db61c82 Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.12.10 with commit 0c4559736d9a Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.13 with commit 4ac06a1e013c Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2021-47115 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/nfc/llcp_sock.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/eb6875d48590d8e564092e831ff07fa384d7e477 https://git.kernel.org/stable/c/39c15bd2e5d11bcf7f4c3dba2aad9e1e110a5d94 https://git.kernel.org/stable/c/ffff05b9ee5c74c04bba2801c1f99b31975d74d9 https://git.kernel.org/stable/c/93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f https://git.kernel.org/stable/c/5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70 https://git.kernel.org/stable/c/48ee0db61c8299022ec88c79ad137f290196cac2 https://git.kernel.org/stable/c/0c4559736d9a4ec1ca58ba98ca34e7c4da4c422b https://git.kernel.org/stable/c/4ac06a1e013cf5fdd963317ffd3b968560f33bba ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2021-47115: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect 2024-03-15 20:15 CVE-2021-47115: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Greg Kroah-Hartman @ 2024-03-18 10:18 ` Robert Frohl 2024-03-18 10:35 ` Lee Jones 2024-03-18 10:33 ` REJECTED: " Lee Jones 1 sibling, 1 reply; 4+ messages in thread From: Robert Frohl @ 2024-03-18 10:18 UTC (permalink / raw) To: cve, linux-kernel; +Cc: Greg Kroah-Hartman [-- Attachment #1.1.1: Type: text/plain, Size: 4156 bytes --] Hi all, CVE-2021-47115 looks like a duplicate of CVE-2021-38208 [0]. Cheers, Robert [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38208 On 15.03.24 21:15, Greg Kroah-Hartman wrote: > Description > =========== > > In the Linux kernel, the following vulnerability has been resolved: > > nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect > > It's possible to trigger NULL pointer dereference by local unprivileged > user, when calling getsockname() after failed bind() (e.g. the bind > fails because LLCP_SAP_MAX used as SAP): > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 > Call Trace: > llcp_sock_getname+0xb1/0xe0 > __sys_getpeername+0x95/0xc0 > ? lockdep_hardirqs_on_prepare+0xd5/0x180 > ? syscall_enter_from_user_mode+0x1c/0x40 > __x64_sys_getpeername+0x11/0x20 > do_syscall_64+0x36/0x70 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > This can be reproduced with Syzkaller C repro (bind followed by > getpeername): > https://syzkaller.appspot.com/x/repro.c?x=14def446e00000 > > The Linux kernel CVE team has assigned CVE-2021-47115 to this issue. > > > Affected and fixed versions > =========================== > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.4.272 with commit eb6875d48590 > Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.9.272 with commit 39c15bd2e5d1 > Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.14.236 with commit ffff05b9ee5c > Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.19.194 with commit 93e4ac2a9979 > Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.4.125 with commit 5d4c4b06ed9f > Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.10.43 with commit 48ee0db61c82 > Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.12.10 with commit 0c4559736d9a > Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.13 with commit 4ac06a1e013c > > Please see https://www.kernel.org or a full list of currently supported > kernel versions by the kernel community. > > Unaffected versions might change over time as fixes are backported to > older supported kernel versions. The official CVE entry at > https://cve.org/CVERecord/?id=CVE-2021-47115 > will be updated if fixes are backported, please check that for the most > up to date information about this issue. > > > Affected files > ============== > > The file(s) affected by this issue are: > net/nfc/llcp_sock.c > > > Mitigation > ========== > > The Linux kernel CVE team recommends that you update to the latest > stable kernel version for this, and many other bugfixes. Individual > changes are never tested alone, but rather are part of a larger kernel > release. Cherry-picking individual commits is not recommended or > supported by the Linux kernel community at all. If however, updating to > the latest release is impossible, the individual changes to resolve this > issue can be found at these commits: > https://git.kernel.org/stable/c/eb6875d48590d8e564092e831ff07fa384d7e477 > https://git.kernel.org/stable/c/39c15bd2e5d11bcf7f4c3dba2aad9e1e110a5d94 > https://git.kernel.org/stable/c/ffff05b9ee5c74c04bba2801c1f99b31975d74d9 > https://git.kernel.org/stable/c/93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f > https://git.kernel.org/stable/c/5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70 > https://git.kernel.org/stable/c/48ee0db61c8299022ec88c79ad137f290196cac2 > https://git.kernel.org/stable/c/0c4559736d9a4ec1ca58ba98ca34e7c4da4c422b > https://git.kernel.org/stable/c/4ac06a1e013cf5fdd963317ffd3b968560f33bba > -- Security Engineer, SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany, GF: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg) GPG: D29F 82AA 9FD5 9D6E 74B1 6370 089E DB3D 230A 2404 [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 12035 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 840 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2021-47115: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect 2024-03-18 10:18 ` Robert Frohl @ 2024-03-18 10:35 ` Lee Jones 0 siblings, 0 replies; 4+ messages in thread From: Lee Jones @ 2024-03-18 10:35 UTC (permalink / raw) To: Robert Frohl; +Cc: cve, linux-kernel, Greg Kroah-Hartman On Mon, 18 Mar 2024, Robert Frohl wrote: > Hi all, > > CVE-2021-47115 looks like a duplicate of CVE-2021-38208 [0]. CVE-2021-47115 now rejected, thank you for the report Robert. https://lore.kernel.org/all/20240318103331.2845054-2-lee@kernel.org/ > Cheers, > Robert > > [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38208 > > > On 15.03.24 21:15, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect > > > > It's possible to trigger NULL pointer dereference by local unprivileged > > user, when calling getsockname() after failed bind() (e.g. the bind > > fails because LLCP_SAP_MAX used as SAP): > > > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > > CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 > > Call Trace: > > llcp_sock_getname+0xb1/0xe0 > > __sys_getpeername+0x95/0xc0 > > ? lockdep_hardirqs_on_prepare+0xd5/0x180 > > ? syscall_enter_from_user_mode+0x1c/0x40 > > __x64_sys_getpeername+0x11/0x20 > > do_syscall_64+0x36/0x70 > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > This can be reproduced with Syzkaller C repro (bind followed by > > getpeername): > > https://syzkaller.appspot.com/x/repro.c?x=14def446e00000 > > > > The Linux kernel CVE team has assigned CVE-2021-47115 to this issue. > > > > > > Affected and fixed versions > > =========================== > > > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.4.272 with commit eb6875d48590 > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.9.272 with commit 39c15bd2e5d1 > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.14.236 with commit ffff05b9ee5c > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.19.194 with commit 93e4ac2a9979 > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.4.125 with commit 5d4c4b06ed9f > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.10.43 with commit 48ee0db61c82 > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.12.10 with commit 0c4559736d9a > > Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.13 with commit 4ac06a1e013c > > > > Please see https://www.kernel.org or a full list of currently supported > > kernel versions by the kernel community. > > > > Unaffected versions might change over time as fixes are backported to > > older supported kernel versions. The official CVE entry at > > https://cve.org/CVERecord/?id=CVE-2021-47115 > > will be updated if fixes are backported, please check that for the most > > up to date information about this issue. > > > > > > Affected files > > ============== > > > > The file(s) affected by this issue are: > > net/nfc/llcp_sock.c > > > > > > Mitigation > > ========== > > > > The Linux kernel CVE team recommends that you update to the latest > > stable kernel version for this, and many other bugfixes. Individual > > changes are never tested alone, but rather are part of a larger kernel > > release. Cherry-picking individual commits is not recommended or > > supported by the Linux kernel community at all. If however, updating to > > the latest release is impossible, the individual changes to resolve this > > issue can be found at these commits: > > https://git.kernel.org/stable/c/eb6875d48590d8e564092e831ff07fa384d7e477 > > https://git.kernel.org/stable/c/39c15bd2e5d11bcf7f4c3dba2aad9e1e110a5d94 > > https://git.kernel.org/stable/c/ffff05b9ee5c74c04bba2801c1f99b31975d74d9 > > https://git.kernel.org/stable/c/93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f > > https://git.kernel.org/stable/c/5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70 > > https://git.kernel.org/stable/c/48ee0db61c8299022ec88c79ad137f290196cac2 > > https://git.kernel.org/stable/c/0c4559736d9a4ec1ca58ba98ca34e7c4da4c422b > > https://git.kernel.org/stable/c/4ac06a1e013cf5fdd963317ffd3b968560f33bba > > > > -- > Security Engineer, SUSE Software Solutions Germany GmbH, Frankenstraße 146, > 90461 Nürnberg, Germany, GF: Ivo Totev, Andrew McDonald, Werner Knoblich > (HRB 36809, AG Nürnberg) > GPG: D29F 82AA 9FD5 9D6E 74B1 6370 089E DB3D 230A 2404 -- Lee Jones [李琼斯] ^ permalink raw reply [flat|nested] 4+ messages in thread
* REJECTED: CVE-2021-47115: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect 2024-03-15 20:15 CVE-2021-47115: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Greg Kroah-Hartman 2024-03-18 10:18 ` Robert Frohl @ 2024-03-18 10:33 ` Lee Jones 1 sibling, 0 replies; 4+ messages in thread From: Lee Jones @ 2024-03-18 10:33 UTC (permalink / raw) To: linux-cve-announce; +Cc: Lee Jones CVE-2021-47115 has now been rejected and is no longer a valid CVE. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-18 10:35 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-03-15 20:15 CVE-2021-47115: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Greg Kroah-Hartman 2024-03-18 10:18 ` Robert Frohl 2024-03-18 10:35 ` Lee Jones 2024-03-18 10:33 ` REJECTED: " Lee Jones
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.