CVE-2021-47634

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists between ctrl cdev ioctl and ubi cdev ioctl in the Linux kernel. This issue is caused by the locks held by these two functions, ubi devices mutex and ubi->device mutex, which can be concurrent. The problem arises in ubi attach when uif init and uif close may race with ubi cdev ioctl, potentially leading to a use-after-free error. This error occurs because a device is made "available" before it becomes accessible via sysfs, allowing for concurrent access and deletion. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations To resolve this issue, the modification made by commit 714fb87e8bc0 should be rolled back. The race condition between ubi device creation and udev can be fixed by removing ubi get device in vol attribute show and dev attribute show. This change avoids accessing uninitialized ubi devices[ubi num]. As a temporary workaround, consider disabling the ubi cdev ioctl function until a patch is available. Restrict access to the vulnerable ubi module to minimize the risk of exploitation. Avoid using the device del function in the affected API endpoint until the issue is resolved.