CVE-2021-47200

HIGH

Linux Kernel 5.5-5.15.5 - Use-After-Free in drm_gem_ttm_mmap

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap drm_gem_ttm_mmap() drops a reference to the gem object on success. If the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that drop will free the gem object, and the subsequent drm_gem_object_get() will be a UAF. Fix by grabbing a reference before calling the mmap helper. This issue was forseen when the reference dropping was adding in commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): "For that to work properly the drm_gem_object_get() call in drm_gem_ttm_mmap() must be moved so it happens before calling obj->funcs->mmap(), otherwise the gem refcount would go down to zero."

Scores

CVSS v3 7.8
EPSS 0.0022
EPSS Percentile 12.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-416
Status published
Products (7)
Linux/Linux < 5.5
Linux/Linux 5.15.5 - 5.15.*
Linux/Linux 5.16
Linux/Linux 5.5
Linux/Linux 9786b65bc61acec63f923978c75e707afbb74bc7 - 4f8e469a2384dfa4047145b0093126462cbb6dc0
Linux/Linux 9786b65bc61acec63f923978c75e707afbb74bc7 - 8244a3bc27b3efd057da154b8d7e414670d5044f
linux/linux_kernel 5.5 - 5.15.5
Published Apr 10, 2024
Tracked Since Feb 18, 2026