ghsa-3c4w-p6cr-wgq6
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: actually fix freelist pointer vs redzoning
It turns out that SLUB redzoning ("slub_debug=Z") checks from s->object_size rather than from s->inuse (which is normally bumped to make room for the freelist pointer), so a cache created with an object size less than 24 would have the freelist pointer written beyond s->object_size, causing the redzone to be corrupted by the freelist pointer. This was very visible with "slub_debug=ZF":
BUG test (Tainted: G B ): Right Redzone overwritten
INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200 INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620
Redzone (_ptrval): bb bb bb bb bb bb bb bb ........ Object (_ptrval): 00 00 00 00 00 f6 f4 a5 ........ Redzone (_ptrval): 40 1d e8 1a aa @.... Padding (_ptrval): 00 00 00 00 00 00 00 00 ........
Adjust the offset to stay within s->object_size.
(Note that no caches of in this size range are known to exist in the kernel currently.)
{
"affected": [],
"aliases": [
"CVE-2021-47221"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:11Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: actually fix freelist pointer vs redzoning\n\nIt turns out that SLUB redzoning (\"slub_debug=Z\") checks from\ns-\u003eobject_size rather than from s-\u003einuse (which is normally bumped to\nmake room for the freelist pointer), so a cache created with an object\nsize less than 24 would have the freelist pointer written beyond\ns-\u003eobject_size, causing the redzone to be corrupted by the freelist\npointer. This was very visible with \"slub_debug=ZF\":\n\n BUG test (Tainted: G B ): Right Redzone overwritten\n -----------------------------------------------------------------------------\n\n INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb\n INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200\n INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620\n\n Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........\n Object (____ptrval____): 00 00 00 00 00 f6 f4 a5 ........\n Redzone (____ptrval____): 40 1d e8 1a aa @....\n Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........\n\nAdjust the offset to stay within s-\u003eobject_size.\n\n(Note that no caches of in this size range are known to exist in the\nkernel currently.)",
"id": "GHSA-3c4w-p6cr-wgq6",
"modified": "2025-04-29T21:31:31Z",
"published": "2024-05-21T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47221"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce6e8bee7a3883e8008b30f5887dbb426aac6a35"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e41a49fadbc80b60b48d3c095d9e2ee7ef7c9a8e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f6ed2357541612a13a5841b3af4dc32ed984a25f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.