CVE-2021-47388 mac80211: fix use-after-free in CCMP/GCMP RX

2024-05-2115:03:47

Linux

www.cve.org

linux kernel

vulnerability

mac80211

use-after-free

pn checking

fragmentation

comparison

fix

reallocations

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

mac80211: fix use-after-free in CCMP/GCMP RX

When PN checking is done in mac80211, for fragmentation we need
to copy the PN to the RX struct so we can later use it to do a
comparison, since commit bf30ca922a0c (“mac80211: check defrag
PN against current frame”).

Unfortunately, in that commit I used the ‘hdr’ variable without
it being necessarily valid, so use-after-free could occur if it
was necessary to reallocate (parts of) the frame.

Fix this by reloading the variable after the code that results
in the reallocations, if any.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/mac80211/wpa.c"
    ],
    "versions": [
      {
        "version": "608b0a2ae928",
        "lessThan": "447d001b875d",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "d0f613fe6de3",
        "lessThan": "31de381aef0a",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "a9b57952fed4",
        "lessThan": "f556e1d6fb9f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0f716b48ed25",
        "lessThan": "3d5d629c99c4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c8b3a6150dc8",
        "lessThan": "50149e0866a8",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e64ea0597050",
        "lessThan": "57de2dcb1874",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "bf30ca922a0c",
        "lessThan": "27d3eb5616ee",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "bf30ca922a0c",
        "lessThan": "94513069eb54",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/mac80211/wpa.c"
    ],
    "versions": [
      {
        "version": "5.13",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.13",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.4.286",
        "lessThanOrEqual": "4.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.9.285",
        "lessThanOrEqual": "4.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.14.249",
        "lessThanOrEqual": "4.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.209",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.151",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.71",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.14.10",
        "lessThanOrEqual": "5.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]