CVE-2021-47214

MEDIUM

Linux Kernel 5.14-5.15.4 - Use-After-Free in Hugetlb Userfaultfd Reservation Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: hugetlb, userfaultfd: fix reservation restore on userfaultfd error Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we bail out using "goto out_release_unlock;" in the cases where idx >= size, or !huge_pte_none(), the code will detect that new_pagecache_page == false, and so call restore_reserve_on_error(). In this case I see restore_reserve_on_error() delete the reservation, and the following call to remove_inode_hugepages() will increment h->resv_hugepages causing a 100% reproducible leak. We should treat the is_continue case similar to adding a page into the pagecache and set new_pagecache_page to true, to indicate that there is no reservation to restore on the error path, and we need not call restore_reserve_on_error(). Rename new_pagecache_page to page_in_pagecache to make that clear.

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e

Patch

https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7

Scores

CVSS v3 5.5

EPSS 0.0019

EPSS Percentile 9.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-401

Status published

Products (11)

Linux/Linux < 5.14

Linux/Linux 5.13.13 - 5.14

Linux/Linux 5.14

Linux/Linux 5.15.5 - 5.15.*

Linux/Linux 5.16

Linux/Linux 515b6124df6a84c957c5cc6bb6e8309dae7b1e9c

Linux/Linux c7b1850dfb41d0b4154aca8dbc04777fbd75616f - b5069d44e2fbc4a9093d005b3ef0949add3dd27e

Linux/Linux c7b1850dfb41d0b4154aca8dbc04777fbd75616f - cc30042df6fcc82ea18acf0dace831503e60a0b7

linux/linux_kernel 5.13.13

linux/linux_kernel 5.16 rc1

... and 1 more

Published Apr 10, 2024

Tracked Since Feb 18, 2026