一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

修复是否涉及abi变化(是/否)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0

CVSS V2.0分值：

BaseScore：0.0 Low

Vector：CVSS：2.0/

漏洞简述：

In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland provided an eventfd along with function s USB descriptors, itends up calling eventfd_ctx_put as many times, causing a refcountunderflow.NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.Also, set epfiles to NULL right after de-allocating it, for readability.For completeness, ffs_data_clear actually ends up being called thrice, thelast call being before the whole ffs structure gets freed, so when thisspecific sequence happens there is a second underflow happening (but notbeing reported):/sys/kernel/debug/tracing# modprobe usb_f_fs/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter/sys/kernel/debug/tracing# echo function > current_tracer/sys/kernel/debug/tracing# echo 1 > tracing_on(setup gadget, run and kill function userland process, teardown gadget)/sys/kernel/debug/tracing# echo 0 > tracing_on/sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_putWarning output corresponding to above trace:[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c[ 1946.293094] refcount_t: underflow; use-after-free.[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1[ 1946.417950] Hardware name: BCM2835[ 1946.425442] Backtrace:[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)[ 1946.482067] r5:c04a948c r4:c0a71dc8[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])[ 1946.582664] r5:c3b84c00 r4:c2695b00[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])[ 1946.609608] r5:bf54d014 r4:c2695b00[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])[ 1946.636217] r7:c0dfcb---truncated---

漏洞公开时间：2024-02-27 18:15:07

漏洞创建时间：2024-02-27 19:00:32

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 | |

| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa | |

| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2021-46933 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| suse_bugzilla | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | https://bugzilla.suse.com/show_bug.cgi?id=1220487 |

| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024022750-CVE-2021-46933-2103@gregkh/T/#u | https://bugzilla.redhat.com/show_bug.cgi?id=2266448 |

| cve_search | | https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa |

| cve_search | | https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919 |

| cve_search | | https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09 |

| cve_search | | https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b |

| cve_search | | https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee |

| cve_search | | https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645 |

| cve_search | | https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684 |

| cve_search | | https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

openBrain开源漏洞感知系统

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b1e0887379422975f237d43d8839b751a6bcf154 | | suse_bugzilla |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(6.1.0):

2.openEuler-20.03-LTS-SP1(4.19.90):

3.openEuler-20.03-LTS-SP4(4.19.90):

4.openEuler-22.03-LTS(5.10.0):

5.openEuler-22.03-LTS-Next(5.10.0):

6.openEuler-22.03-LTS-SP1(5.10.0):

7.openEuler-22.03-LTS-SP2(5.10.0):

8.openEuler-22.03-LTS-SP3(5.10.0):

一、漏洞信息

漏洞编号：[CVE-2021-46933](https://nvd.nist.gov/vuln/detail/CVE-2021-46933)

漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)

漏洞简述：

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2021-46933

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |