CVE-2021-3492

Description

Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.

CVSS Metrics

• v3.1•HIGH•Score: 8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 24.44%• Percentile: 96%

Techniques & Countermeasures

• CWE-415•Double Free

  The product calls free() twice on the same memory address.

• CWE-401•Missing Release of Memory after Effective Lifetime

  The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Affected Systems

• canonical•ubuntu_linux

  < 18.04 | ≥ 18.04.1, < 20.04 | < 20.10

• ubuntu•linux_kernel

  ≥ 5.8 kernel, < 5.8.0-50.56 | ≥ 5.4 kernel, < 5.4.0-72.80

References (6)

• https://www.openwall.com/lists/oss-security/2021/04/16/2
• https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=8fee52ab9da87d82bc6de9ebb3480fff9b4d53e6
• https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=25c891a949bf918b59cbc6e4932015ba4c35c333
• https://ubuntu.com/security/notices/USN-4917-1
• https://www.zerodayinitiative.com/advisories/ZDI-21-422/
• http://packetstormsecurity.com/files/162614/Kernel-Live-Patch-Security-Notice-LSN-0077-1.html