CVE-2021-46938

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.3.18-53-default #1 SLE15-SP3

Description The vulnerability is related to a double free of the blk mq tag set in the device-mapper table for a request-based mapped device. When the allocation/initialization of the blk mq tag set fails, a following device remove will cause a double free, leading to a kernel panic. The issue is caused by the pointer not being reset to NULL after the blk mq tag set is uninitialized/freed.

To exploit this vulnerability, an attacker would need to cause the allocation/initialization of the blk mq tag set to fail, and then trigger a device remove. This could potentially allow the attacker to cause a denial-of-service or execute arbitrary code.

The dm mq init request queue() function is vulnerable, and the dm mq cleanup mapped device() function tries to uninitialize and free the blk mq tag set again, causing the double free.

The vulnerability can be fixed by setting the pointer to NULL in dm mq init request queue() error-handling and in dm mq cleanup mapped device().

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for the double free vulnerability. Specifically, update to a version later than 5.3.18-53-default #1 SLE15-SP3.

As a temporary workaround, consider disabling the dm mq init request queue() function or restricting access to the device-mapper table to minimize the risk of exploitation. However, this should not be considered a permanent solution, and updating the kernel to a patched version is recommended as soon as possible.