{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: aio: fix use-after-free due to missing POLLFREE handling",
    "id" : "2283448",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2283448"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\naio: fix use-after-free due to missing POLLFREE handling\nsignalfd_poll() and binder_poll() are special in that they use a\nwaitqueue whose lifetime is the current task, rather than the struct\nfile as is normally the case.  This is okay for blocking polls, since a\nblocking poll occurs within one task; however, non-blocking polls\nrequire another solution.  This solution is for the queue to be cleared\nbefore it is freed, by sending a POLLFREE notification to all waiters.\nUnfortunately, only eventpoll handles POLLFREE.  A second type of\nnon-blocking poll, aio poll, was added in kernel v4.18, and it doesn't\nhandle POLLFREE.  This allows a use-after-free to occur if a signalfd or\nbinder fd is polled with aio poll, and the waitqueue gets freed.\nFix this by making aio poll handle POLLFREE.\nA patch by Ramji Jiyani <ramjiyani@google.com>\n(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)\ntried to do this by making aio_poll_wake() always complete the request\ninline if POLLFREE is seen.  However, that solution had two bugs.\nFirst, it introduced a deadlock, as it unconditionally locked the aio\ncontext while holding the waitqueue lock, which inverts the normal\nlocking order.  Second, it didn't consider that POLLFREE notifications\nare missed while the request has been temporarily de-queued.\nThe second problem was solved by my previous patch.  This patch then\nproperly fixes the use-after-free by handling POLLFREE in a\ndeadlock-free way.  It does this by taking advantage of the fact that\nfreeing of the waitqueue is RCU-delayed, similar to what eventpoll does." ],
  "statement" : "Following issue marked as moderate with \"not affected\" for Red Hat Enterprise Linux, as it is not vulnerable to this CVE. This is because the CVE does not impact the versions or configurations of the Linux kernel used in Red Hat's distributions. Additionally, some RHEL versions may be marked as \"will not fix\" due to the minimal impact of the issue, and no fix will be provided.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47505\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47505\nhttps://lore.kernel.org/linux-cve-announce/2024052452-CVE-2021-47505-427f@gregkh/T" ],
  "name" : "CVE-2021-47505",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}