{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T02:35:42.556","vulnerabilities":[{"cve":{"id":"CVE-2021-47379","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-21T15:15:23.590","lastModified":"2024-12-23T20:47:30.867","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd\n\nKASAN reports a use-after-free report when doing fuzz test:\n\n[693354.104835] ==================================================================\n[693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160\n[693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338\n\n[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147\n[693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018\n[693354.105612] Call Trace:\n[693354.105621]  dump_stack+0xf1/0x19b\n[693354.105626]  ? show_regs_print_info+0x5/0x5\n[693354.105634]  ? printk+0x9c/0xc3\n[693354.105638]  ? cpumask_weight+0x1f/0x1f\n[693354.105648]  print_address_description+0x70/0x360\n[693354.105654]  kasan_report+0x1b2/0x330\n[693354.105659]  ? bfq_io_set_weight_legacy+0xd3/0x160\n[693354.105665]  ? bfq_io_set_weight_legacy+0xd3/0x160\n[693354.105670]  bfq_io_set_weight_legacy+0xd3/0x160\n[693354.105675]  ? bfq_cpd_init+0x20/0x20\n[693354.105683]  cgroup_file_write+0x3aa/0x510\n[693354.105693]  ? ___slab_alloc+0x507/0x540\n[693354.105698]  ? cgroup_file_poll+0x60/0x60\n[693354.105702]  ? 0xffffffff89600000\n[693354.105708]  ? usercopy_abort+0x90/0x90\n[693354.105716]  ? mutex_lock+0xef/0x180\n[693354.105726]  kernfs_fop_write+0x1ab/0x280\n[693354.105732]  ? cgroup_file_poll+0x60/0x60\n[693354.105738]  vfs_write+0xe7/0x230\n[693354.105744]  ksys_write+0xb0/0x140\n[693354.105749]  ? __ia32_sys_read+0x50/0x50\n[693354.105760]  do_syscall_64+0x112/0x370\n[693354.105766]  ? syscall_return_slowpath+0x260/0x260\n[693354.105772]  ? do_page_fault+0x9b/0x270\n[693354.105779]  ? prepare_exit_to_usermode+0xf9/0x1a0\n[693354.105784]  ? enter_from_user_mode+0x30/0x30\n[693354.105793]  entry_SYSCALL_64_after_hwframe+0x65/0xca\n\n[693354.105875] Allocated by task 1453337:\n[693354.106001]  kasan_kmalloc+0xa0/0xd0\n[693354.106006]  kmem_cache_alloc_node_trace+0x108/0x220\n[693354.106010]  bfq_pd_alloc+0x96/0x120\n[693354.106015]  blkcg_activate_policy+0x1b7/0x2b0\n[693354.106020]  bfq_create_group_hierarchy+0x1e/0x80\n[693354.106026]  bfq_init_queue+0x678/0x8c0\n[693354.106031]  blk_mq_init_sched+0x1f8/0x460\n[693354.106037]  elevator_switch_mq+0xe1/0x240\n[693354.106041]  elevator_switch+0x25/0x40\n[693354.106045]  elv_iosched_store+0x1a1/0x230\n[693354.106049]  queue_attr_store+0x78/0xb0\n[693354.106053]  kernfs_fop_write+0x1ab/0x280\n[693354.106056]  vfs_write+0xe7/0x230\n[693354.106060]  ksys_write+0xb0/0x140\n[693354.106064]  do_syscall_64+0x112/0x370\n[693354.106069]  entry_SYSCALL_64_after_hwframe+0x65/0xca\n\n[693354.106114] Freed by task 1453336:\n[693354.106225]  __kasan_slab_free+0x130/0x180\n[693354.106229]  kfree+0x90/0x1b0\n[693354.106233]  blkcg_deactivate_policy+0x12c/0x220\n[693354.106238]  bfq_exit_queue+0xf5/0x110\n[693354.106241]  blk_mq_exit_sched+0x104/0x130\n[693354.106245]  __elevator_exit+0x45/0x60\n[693354.106249]  elevator_switch_mq+0xd6/0x240\n[693354.106253]  elevator_switch+0x25/0x40\n[693354.106257]  elv_iosched_store+0x1a1/0x230\n[693354.106261]  queue_attr_store+0x78/0xb0\n[693354.106264]  kernfs_fop_write+0x1ab/0x280\n[693354.106268]  vfs_write+0xe7/0x230\n[693354.106271]  ksys_write+0xb0/0x140\n[693354.106275]  do_syscall_64+0x112/0x370\n[693354.106280]  entry_SYSCALL_64_after_hwframe+0x65/0xca\n\n[693354.106329] The buggy address belongs to the object at ffff888be0a35580\n                 which belongs to the cache kmalloc-1k of size 1024\n[693354.106736] The buggy address is located 228 bytes inside of\n                 1024-byte region [ffff888be0a35580, ffff888be0a35980)\n[693354.107114] The buggy address belongs to the page:\n[693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0\n[693354.107606] flags: 0x17ffffc0008100(slab|head)\n[693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080\n[693354.108020] r\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: blk-cgroup: corrige UAF capturando el bloqueo de blkcg antes de destruir blkg pd KASAN informa un informe de use after free al realizar una prueba fuzz: [693354.104835] ======= ==================================================== ========= [693354.105094] ERROR: KASAN: use after free en bfq_io_set_weight_legacy+0xd3/0x160 [693354.105336] Lectura de tamaño 4 en la dirección ffff888be0a35664 por tarea sh/1453338 [693354.10560 7] CPU: 41 PID: 1453338 Comm: sh Kdump: cargado No contaminado 4.18.0-147 [693354.105610] Nombre de hardware: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 02/07/2018 [693354.105612] Seguimiento de llamadas: [693354.105621] +0xf1/0x19b [693354.105626] ? show_regs_print_info+0x5/0x5 [693354.105634] ? imprimirk+0x9c/0xc3 [693354.105638] ? cpumask_weight+0x1f/0x1f [693354.105648] print_address_description+0x70/0x360 [693354.105654] kasan_report+0x1b2/0x330 [693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105670] bfq_io_set_weight_legacy+0xd3/0x160 [693354.105675] ? bfq_cpd_init+0x20/0x20 [693354.105683] cgroup_file_write+0x3aa/0x510 [693354.105693] ? ___slab_alloc+0x507/0x540 [693354.105698] ? cgroup_file_poll+0x60/0x60 [693354.105702] ? 0xffffffff89600000 [693354.105708] ? usercopy_abort+0x90/0x90 [693354.105716] ? mutex_lock+0xef/0x180 [693354.105726] kernfs_fop_write+0x1ab/0x280 [693354.105732] ? cgroup_file_poll+0x60/0x60 [693354.105738] vfs_write+0xe7/0x230 [693354.105744] ksys_write+0xb0/0x140 [693354.105749] ? __ia32_sys_read+0x50/0x50 [693354.105760] do_syscall_64+0x112/0x370 [693354.105766] ? syscall_return_slowpath+0x260/0x260 [693354.105772]? do_page_fault+0x9b/0x270 [693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0 [693354.105784] ? enter_from_user_mode+0x30/0x30 [693354.105793] Entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.105875] Asignado por la tarea 1453337: [693354.106001] kasan_kmalloc+0xa0/0xd0 [693354. 106006] kmem_cache_alloc_node_trace+0x108/0x220 [693354.106010] bfq_pd_alloc+0x96/0x120 [693354.106015] blkcg_activate_policy+ 0x1b7/0x2b0 [693354.106020] bfq_create_group_hierarchy+0x1e/0x80 [693354.106026] bfq_init_queue+0x678/0x8c0 [693354.106031] blk_mq_init_sched+0x1f8/0x460 [693354.106037] elevator_switch_mq+0xe1/0x240 [693354.106041] elevator_switch+0x25/0x40 [693354.106045] elv_iosched_store+0x1a1/ 0x230 [693354.106049] queue_attr_store+0x78/0xb0 [693354.106053] kernfs_fop_write+0x1ab/0x280 [693354.106056] vfs_write+0xe7/0x230 [693354.106060] s_write+0xb0/0x140 [693354.106064] do_syscall_64+0x112/0x370 [693354.106069] Entry_SYSCALL_64_after_hwframe+0x65/0xca [ 693354.106114] Liberado por la tarea 1453336: [693354.106225] __kasan_slab_free+0x130/0x180 [693354.106229] kfree+0x90/0x1b0 [693354.106233] blkcg_deactivate_policy+0x12 c/0x220 [693354.106238] bfq_exit_queue+0xf5/0x110 [693354.106241] blk_mq_exit_sched+0x104/0x130 [693354.106245] __elevator_exit+0x45/0x60 [693354.106249] elevator_switch_mq+0xd6/0x240 [693354.106253] interruptor_elevador+0x25/0x40 [693354.106257] elv_iosched_store+0x1a1/0x230 .106261] queue_attr_store+0x78/0xb0 [693354.106264] kernfs_fop_write+0x1ab/0x280 [693354.106268] vfs_write+ 0xe7/0x230 [693354.106271] ksys_write+0xb0/0x140 [693354.106275] do_syscall_64+0x112/0x370 [693354.106280] Entry_SYSCALL_64_after_hwframe+0x65/0xca [69335 4.106329] La dirección con errores pertenece al objeto en ffff888be0a35580 que pertenece al caché kmalloc-1k de tamaño 1024 [693354.106736] La dirección con errores se encuentra a 228 bytes dentro de la región de 1024 bytes [ffff888be0a35580, ffff888be0a35980) [693354.107114] La dirección con errores pertenece a la página: [693354.107273] página:ffffea002f828c00 1 recuento de mapas: 0 mapeo: ffff888107c17080 índice: 0x0 Compound_mapcount: 0 [693354.107606] banderas: 0x17ffffc0008100(slab|head) [693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 3354.108020] r ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.150","matchCriteriaId":"F6EBA6BC-0594-4920-B410-5DDA60229E8E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.70","matchCriteriaId":"A2A50090-4483-4F44-9147-BF0B012FBF7E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.14.9","matchCriteriaId":"1B31D6C1-A751-438D-906B-0C56B789D498"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*","matchCriteriaId":"E46C74C6-B76B-4C94-A6A4-FD2FFF62D644"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7c2c69e010431b0157c9454adcdd2305809bf9fb","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/858560b27645e7e97aca37ee8f232cccd658fbd2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d12ddd843f1877de1f7dd2aeea4907cf9ff3ac08","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f58d305887ad7b24986d58e881f6806bb81b2bdf","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/7c2c69e010431b0157c9454adcdd2305809bf9fb","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/858560b27645e7e97aca37ee8f232cccd658fbd2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d12ddd843f1877de1f7dd2aeea4907cf9ff3ac08","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f58d305887ad7b24986d58e881f6806bb81b2bdf","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}