Vulnerability CVE-2021-3491: Information

Description

The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1).

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3491
Published: June 4, 2021
Modified: Sept. 14, 2021
Error type identifier: CWE-787

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
kernel-image-mpsisyphus5.12.4-alt16.8.8-alt1ALT-PU-2021-1833-1272140Fixed
kernel-image-mpp105.12.4-alt16.1.19-alt1ALT-PU-2021-1833-1272140Fixed
kernel-image-mpp95.12.16-alt15.12.16-alt1ALT-PU-2021-3481-1279859Fixed
kernel-image-rpi-defsisyphus5.10.50-alt15.15.92-alt2ALT-PU-2021-2293-1279852Fixed
kernel-image-rpi-defp105.10.50-alt15.15.92-alt2ALT-PU-2021-2305-1279938Fixed
kernel-image-rpi-defp95.10.50-alt15.10.81-alt1ALT-PU-2021-2307-1279906Fixed
kernel-image-rpi-unsisyphus5.12.6-alt16.6.23-alt1ALT-PU-2021-1888-1273055Fixed
kernel-image-rpi-unp105.12.6-alt16.1.77-alt1ALT-PU-2021-1888-1273055Fixed
kernel-image-rpi-unp95.12.6-alt15.12.17-alt1ALT-PU-2021-1896-1273084Fixed
kernel-image-rtsisyphus5.10.41-alt1.rt426.1.90-alt2.rt30ALT-PU-2021-1985-1274368Fixed
kernel-image-rtp105.10.41-alt1.rt425.10.216-alt1.rt108ALT-PU-2021-1985-1274368Fixed
kernel-image-std-debugsisyphus5.10.54-alt16.1.90-alt2ALT-PU-2021-2370-1281272Fixed
kernel-image-std-defsisyphus5.10.41-alt16.1.90-alt2ALT-PU-2021-1912-1272886Fixed
kernel-image-std-defp105.10.41-alt15.10.216-alt1ALT-PU-2021-1912-1272886Fixed
kernel-image-std-defc9f25.10.42-alt0.c9f5.10.214-alt0.c9f.2ALT-PU-2021-1961-1273497Fixed
kernel-image-std-kvmsisyphus5.10.42-alt15.10.176-alt1ALT-PU-2021-1920-1273546Fixed
kernel-image-std-kvmp105.10.42-alt15.10.42-alt1ALT-PU-2021-1920-1273546Fixed
kernel-image-un-defsisyphus5.11.21-alt16.6.30-alt2ALT-PU-2021-1805-1271842Fixed
kernel-image-un-defsisyphus_riscv645.19.16-alt2.rv646.6.29-alt1.0.portALT-PU-2022-6777-1-Fixed
kernel-image-un-defp105.11.21-alt16.1.85-alt1ALT-PU-2021-1805-1271842Fixed
kernel-image-un-defp95.10.37-alt15.10.215-alt1ALT-PU-2021-1855-1271841Fixed
kernel-image-un-defc10f15.11.21-alt16.1.85-alt0.c10f.1ALT-PU-2021-1805-1271842Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://ubuntu.com/security/notices/USN-4949-1
  • Third Party Advisory
https://ubuntu.com/security/notices/USN-4950-1
  • Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db
  • Patch
  • Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-589/
  • Third Party Advisory
  • VDB Entry
[oss-security] CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
  • Mailing List
  • Patch
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20210716-0004/
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      5.11
      End excliding
      5.11.21
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      5.12
      End excliding
      5.12.4
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      5.7
      End excliding
      5.10.37

      Configuration 2

      cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:21.04:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.1
Back to top