Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2021-46921

Disclosure Date: February 27, 2024 •

CVE-2021-46921 CVSS v3 Base Score: 5.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

locking/qrwlock: Fix ordering in queued_write_lock_slowpath()

While this code is executed with the wait_lock held, a reader can
acquire the lock without holding wait_lock. The writer side loops
checking the value with the atomic_cond_read_acquire(), but only truly
acquires the lock when the compare-and-exchange is completed
successfully which isn’t ordered. This exposes the window between the
acquire and the cmpxchg to an A-B-A problem which allows reads
following the lock acquisition to observe values speculatively before
the write lock is truly acquired.

We’ve seen a problem in epoll where the reader does a xchg while
holding the read lock, but the writer can see a value change out from
under it.

Writer | Reader

ep_scan_ready_list() |
|– write_lock_irq() |

  |- queued_write_lock_slowpath()   |
|- atomic_cond_read_acquire()   |
			        | read_lock_irqsave(&ep->lock, flags);
 --> (observes value before unlock) |  chain_epi_lockless()
 |                                  |    epi->next = xchg(&ep->ovflist, epi);
 |                                  | read_unlock_irqrestore(&ep->lock, flags);
 |                                  |
 |     atomic_cmpxchg_relaxed()     |
 |-- READ_ONCE(ep->ovflist);        |

A core can order the read of the ovflist ahead of the
atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire
semantics addresses this issue at which point the atomic_cond_read can
be switched to use relaxed semantics.

[peterz: use try_cmpxchg()]

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

linux

Products

linux kernel

References

Canonical

CVE-2021-46921 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46921)

Miscellaneous

https://git.kernel.org/stable/c/5902f9453a313be8fe78cbd7e7ca9dba9319fc6e

https://git.kernel.org/stable/c/82808cc026811fbc3ecf0c0b267a12a339eead56

https://git.kernel.org/stable/c/82fa9ced35d88581cffa4a1c856fc41fca96d80a

https://git.kernel.org/stable/c/d558fcdb17139728347bccc60a16af3e639649d2

https://git.kernel.org/stable/c/84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896

Rapid7

Unknown

CVE-2021-46921

Unknown

Unknown

None

Low

Local

CVE-2021-46921

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2021-46921

Unknown

Unknown

None

Low

Local

CVE-2021-46921

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification