ByteOS Network

CVE Vulnerability Details :

CVE-2021-46933

PUBLISHED

More Info Official Page

Assigner-Linux

Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67

Published At-27 Feb, 2024 | 09:44

Updated At-04 May, 2025 | 07:00

▼CVE Numbering Authority (CNA)

usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 and then unmounts f_fs. If userland provided an eventfd along with function's USB descriptors, it ends up calling eventfd_ctx_put as many times, causing a refcount underflow. NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. Also, set epfiles to NULL right after de-allocating it, for readability. For completeness, ffs_data_clear actually ends up being called thrice, the last call being before the whole ffs structure gets freed, so when this specific sequence happens there is a second underflow happening (but not being reported): /sys/kernel/debug/tracing# modprobe usb_f_fs /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter /sys/kernel/debug/tracing# echo function > current_tracer /sys/kernel/debug/tracing# echo 1 > tracing_on (setup gadget, run and kill function userland process, teardown gadget) /sys/kernel/debug/tracing# echo 0 > tracing_on /sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put Warning output corresponding to above trace: [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c [ 1946.293094] refcount_t: underflow; use-after-free. [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 [ 1946.417950] Hardware name: BCM2835 [ 1946.425442] Backtrace: [ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24) [ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c [ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30) [ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154) [ 1946.482067] r5:c04a948c r4:c0a71dc8 [ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4) [ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 [ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c) [ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 [ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74) [ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) [ 1946.582664] r5:c3b84c00 r4:c2695b00 [ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) [ 1946.609608] r5:bf54d014 r4:c2695b00 [ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) [ 1946.636217] r7:c0dfcb ---truncated---

Affected Products

Vendor

Linux Kernel Organization, Inc

Product

Linux

Repo

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Program Files

drivers/usb/gadget/function/f_fs.c

Default Status

unaffected

Versions

Affected

From 5e33f6fdf735cda1d4580fe6f1878da05718fe73 before f976dd7011150244a7ba820f2c331e9fb253befa (git)
From 5e33f6fdf735cda1d4580fe6f1878da05718fe73 before cc8c8028c21b2a3842a1e98e99e55028df275919 (git)
From 5e33f6fdf735cda1d4580fe6f1878da05718fe73 before 52500239e3f2d6fc77b6f58632a9fb98fe74ac09 (git)
From 5e33f6fdf735cda1d4580fe6f1878da05718fe73 before 33f6a0cbb7772146e1c11f38028fffbfed14728b (git)
From 5e33f6fdf735cda1d4580fe6f1878da05718fe73 before 240fc586e83d645912accce081a48aa63a45f6ee (git)
From 5e33f6fdf735cda1d4580fe6f1878da05718fe73 before 1c4ace3e6b8575745c50dca9e76e0021e697d645 (git)
From 5e33f6fdf735cda1d4580fe6f1878da05718fe73 before ebef2aa29f370b5096c16020c104e393192ef684 (git)
From 5e33f6fdf735cda1d4580fe6f1878da05718fe73 before b1e0887379422975f237d43d8839b751a6bcf154 (git)

Vendor

Linux Kernel Organization, Inc

Product

Linux

Repo

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Program Files

drivers/usb/gadget/function/f_fs.c

Default Status

affected

Versions

Affected

Unaffected

From 0 before 4.0 (semver)
From 4.4.298 through 4.4.* (semver)
From 4.9.296 through 4.9.* (semver)
From 4.14.261 through 4.14.* (semver)
From 4.19.224 through 4.19.* (semver)
From 5.4.170 through 5.4.* (semver)
From 5.10.90 through 5.10.* (semver)
From 5.15.13 through 5.15.* (semver)
From 5.16 through * (original_commit_for_fix)

References

Hyperlink	Resource
https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa	N/A
https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919	N/A
https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09	N/A
https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b	N/A
https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee	N/A
https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645	N/A
https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684	N/A
https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154	N/A

▼Authorized Data Publishers (ADP)

1. CISA ADP Vulnrichment

Problem Types

Type	CWE ID	Description
CWE	CWE-476	CWE-476 NULL Pointer Dereference

Metrics

Version	Base score	Base severity	Vector
3.1	5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Metrics Other Info

2. CVE Program Container

References

Hyperlink	Resource
https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa	x_transferred
https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919	x_transferred
https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09	x_transferred
https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b	x_transferred
https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee	x_transferred
https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645	x_transferred
https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684	x_transferred
https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154	x_transferred

Affected Products

Affected

Affected

Unaffected

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References