{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47656","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:48:21.521Z","datePublished":"2025-02-26T01:54:20.069Z","dateUpdated":"2025-05-04T07:15:43.185Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:15:43.185Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix use-after-free in jffs2_clear_xattr_subsystem\n\nWhen we mount a jffs2 image, assume that the first few blocks of\nthe image are normal and contain at least one xattr-related inode,\nbut the next block is abnormal. As a result, an error is returned\nin jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then\ncalled in jffs2_build_filesystem() and then again in\njffs2_do_fill_super().\n\nFinally we can observe the following report:\n ==================================================================\n BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac\n Read of size 8 at addr ffff8881243384e0 by task mount/719\n\n Call Trace:\n  dump_stack+0x115/0x16b\n  jffs2_clear_xattr_subsystem+0x95/0x6ac\n  jffs2_do_fill_super+0x84f/0xc30\n  jffs2_fill_super+0x2ea/0x4c0\n  mtd_get_sb+0x254/0x400\n  mtd_get_sb_by_nr+0x4f/0xd0\n  get_tree_mtd+0x498/0x840\n  jffs2_get_tree+0x25/0x30\n  vfs_get_tree+0x8d/0x2e0\n  path_mount+0x50f/0x1e50\n  do_mount+0x107/0x130\n  __se_sys_mount+0x1c5/0x2f0\n  __x64_sys_mount+0xc7/0x160\n  do_syscall_64+0x45/0x70\n  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\n Allocated by task 719:\n  kasan_save_stack+0x23/0x60\n  __kasan_kmalloc.constprop.0+0x10b/0x120\n  kasan_slab_alloc+0x12/0x20\n  kmem_cache_alloc+0x1c0/0x870\n  jffs2_alloc_xattr_ref+0x2f/0xa0\n  jffs2_scan_medium.cold+0x3713/0x4794\n  jffs2_do_mount_fs.cold+0xa7/0x2253\n  jffs2_do_fill_super+0x383/0xc30\n  jffs2_fill_super+0x2ea/0x4c0\n [...]\n\n Freed by task 719:\n  kmem_cache_free+0xcc/0x7b0\n  jffs2_free_xattr_ref+0x78/0x98\n  jffs2_clear_xattr_subsystem+0xa1/0x6ac\n  jffs2_do_mount_fs.cold+0x5e6/0x2253\n  jffs2_do_fill_super+0x383/0xc30\n  jffs2_fill_super+0x2ea/0x4c0\n [...]\n\n The buggy address belongs to the object at ffff8881243384b8\n  which belongs to the cache jffs2_xattr_ref of size 48\n The buggy address is located 40 bytes inside of\n  48-byte region [ffff8881243384b8, ffff8881243384e8)\n [...]\n ==================================================================\n\nThe triggering of the BUG is shown in the following stack:\n-----------------------------------------------------------\njffs2_fill_super\n  jffs2_do_fill_super\n    jffs2_do_mount_fs\n      jffs2_build_filesystem\n        jffs2_scan_medium\n          jffs2_scan_eraseblock        <--- ERROR\n        jffs2_clear_xattr_subsystem    <--- free\n    jffs2_clear_xattr_subsystem        <--- free again\n-----------------------------------------------------------\n\nAn error is returned in jffs2_do_mount_fs(). If the error is returned\nby jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to\nbe executed. If the error is returned by jffs2_build_filesystem(), the\njffs2_clear_xattr_subsystem() also does not need to be executed again.\nSo move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'\nto fix this UAF problem."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/jffs2/fs.c"],"versions":[{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"9150cb625b46f68d524f4cfd491f1aafc23e10a9","status":"affected","versionType":"git"},{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"3bd2454162ec6bbb5503233c804fce6e4b6dcec5","status":"affected","versionType":"git"},{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"c3b07c875fa8f906f932976460fd14798596f101","status":"affected","versionType":"git"},{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"30bf7244acf32f19cb722c39f7bc1c2a9f300422","status":"affected","versionType":"git"},{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"7bb7428dd73991bf4b3a7a61b493ca50046c2b13","status":"affected","versionType":"git"},{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"7a75740206af5f17e9f3efa384211cba70213da1","status":"affected","versionType":"git"},{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"22327bd7988f21de3a53c1373f3b81542bfe1f44","status":"affected","versionType":"git"},{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"8c0f024f29e055840a5a89fe23b96ae3f921afed","status":"affected","versionType":"git"},{"version":"aa98d7cf59b5b0764d3502662053489585faf2fe","lessThan":"4c7c44ee1650677fbe89d86edbad9497b7679b5c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/jffs2/fs.c"],"versions":[{"version":"2.6.18","status":"affected"},{"version":"0","lessThan":"2.6.18","status":"unaffected","versionType":"semver"},{"version":"4.9.311","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.276","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.238","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.189","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.110","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.33","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.19","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.2","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"4.9.311"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"4.14.276"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"4.19.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"5.4.189"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"5.10.110"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"5.15.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"5.16.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"5.17.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9150cb625b46f68d524f4cfd491f1aafc23e10a9"},{"url":"https://git.kernel.org/stable/c/3bd2454162ec6bbb5503233c804fce6e4b6dcec5"},{"url":"https://git.kernel.org/stable/c/c3b07c875fa8f906f932976460fd14798596f101"},{"url":"https://git.kernel.org/stable/c/30bf7244acf32f19cb722c39f7bc1c2a9f300422"},{"url":"https://git.kernel.org/stable/c/7bb7428dd73991bf4b3a7a61b493ca50046c2b13"},{"url":"https://git.kernel.org/stable/c/7a75740206af5f17e9f3efa384211cba70213da1"},{"url":"https://git.kernel.org/stable/c/22327bd7988f21de3a53c1373f3b81542bfe1f44"},{"url":"https://git.kernel.org/stable/c/8c0f024f29e055840a5a89fe23b96ae3f921afed"},{"url":"https://git.kernel.org/stable/c/4c7c44ee1650677fbe89d86edbad9497b7679b5c"}],"title":"jffs2: fix use-after-free in jffs2_clear_xattr_subsystem","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2021-47656","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-27T17:59:35.381270Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-27T18:02:30.510Z"}}]}}