CVE-2021-47200

{"id": "CVE-2021-47200", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-04-10T19:15:48.077", "references": [{"url": "https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/prime: Fix use after free in mmap with drm_gem_ttm_mmap\n\ndrm_gem_ttm_mmap() drops a reference to the gem object on success. If\nthe gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that\ndrop will free the gem object, and the subsequent drm_gem_object_get()\nwill be a UAF. Fix by grabbing a reference before calling the mmap\nhelper.\n\nThis issue was forseen when the reference dropping was adding in\ncommit 9786b65bc61ac (\"drm/ttm: fix mmap refcounting\"):\n \"For that to work properly the drm_gem_object_get() call in\n drm_gem_ttm_mmap() must be moved so it happens before calling\n obj->funcs->mmap(), otherwise the gem refcount would go down\n to zero.\""}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/prime: Arreglar el use-after-free en mmap con drm_gem_ttm_mmap drm_gem_ttm_mmap() elimina una referencia al objeto gema en caso de \u00e9xito. Si el refcount del objeto gema == 1 en la entrada a drm_gem_prime_mmap(), esa eliminaci\u00f3n liberar\u00e1 el objeto gema y el drm_gem_object_get() posterior ser\u00e1 un UAF. Se soluciona tomando una referencia antes de llamar al ayudante mmap. Este problema se previ\u00f3 cuando se agreg\u00f3 la eliminaci\u00f3n de referencia en el commit 9786b65bc61ac (\"drm/ttm: corregir el recuento de referencias mmap\"): \"Para que eso funcione correctamente, la llamada drm_gem_object_get() en drm_gem_ttm_mmap() debe moverse para que suceda antes de llamar a obj->funcs->mmap(), de lo contrario, el recuento de referencias de la gema bajar\u00eda a cero\"."}], "lastModified": "2025-01-07T17:12:06.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24C2E67E-369B-4DC4-89C9-101DE1BAA919", "versionEndExcluding": "5.15.5", "versionStartIncluding": "5.5"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}