CVE-2021-47069: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry do_mq_timedreceive calls wq_sleep with a stack local address. The sender (do_mq_timedsend) uses this address to later call pipelined_send. This leads to a very hard to trigger race where a do_mq_timedreceive call might return and leave do_mq_timedsend to rely on an invalid address, causing the following crash: RIP: 0010:wake_q_add_safe+0x13/0x60 Call Trace: __x64_sys_mq_timedsend+0x2a9/0x490 do_syscall_64+0x80/0x680 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5928e40343 The race occurs as: 1. do_mq_timedreceive calls wq_sleep with the address of `struct ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it holds a valid `struct ext_wait_queue *` as long as the stack has not been overwritten. 2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call __pipelined_op. 3. Sender calls __pipelined_op::smp_store_release(&this->state, STATE_READY). Here is where the race window begins. (`this` is `ewq_addr`.) 4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it will see `state == STATE_READY` and break. 5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's stack. (Although the address may not get overwritten until another function happens to touch it, which means it can persist around for an indefinite time.) 6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a `struct ext_wait_queue *`, and uses it to find a task_struct to pass to the wake_q_add_safe call. In the lucky case where nothing has overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct. In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a bogus address as the receiver's task_struct causing the crash. do_mq_timedsend::__pipelined_op() should not dereference `this` after setting STATE_READY, as the receiver counterpart is now free to return. Change __pipelined_op to call wake_q_add_safe on the receiver's task_struct returned by get_task_struct, instead of dereferencing `this` which sits on the receiver's stack. As Manfred pointed out, the race potentially also exists in ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix those in the same way.
AI Analysis
Technical Summary
CVE-2021-47069 is a race condition vulnerability found in the Linux kernel's inter-process communication (IPC) mechanisms, specifically within the message queue (mqueue), message (msg), and semaphore (sem) subsystems. The flaw arises from improper handling of stack-allocated wait queue structures during timed message send and receive operations. The vulnerability occurs when the function do_mq_timedreceive calls wq_sleep with a pointer to a stack-local ext_wait_queue structure. This pointer is then added to a wait queue list and later accessed by the sender function do_mq_timedsend via __pipelined_op. The race condition manifests because after the receiver returns from do_mq_timedreceive, the stack memory containing the ext_wait_queue structure may be invalid or overwritten. However, the sender continues to dereference this stale pointer, potentially leading to use-after-free behavior and kernel crashes. Specifically, the crash occurs in wake_q_add_safe when the sender attempts to wake the receiver task using an invalid task_struct pointer derived from the stale ext_wait_queue. The root cause is that __pipelined_op dereferences the stack-based pointer after setting its state to STATE_READY, without ensuring the receiver has completed and the pointer remains valid. The fix involves modifying __pipelined_op to avoid dereferencing the stack pointer after signaling readiness, instead using a safely retrieved task_struct pointer. The vulnerability also affects similar IPC code paths in ipc/msg.c and ipc/sem.c, which have been fixed similarly. This is a subtle, hard-to-trigger race condition that can cause kernel panics or crashes, impacting system stability and availability. No known exploits are reported in the wild as of publication. The vulnerability affects Linux kernel versions containing the specified commit hashes prior to patching.
Potential Impact
For European organizations relying on Linux-based systems, especially those using IPC mechanisms extensively (e.g., servers, embedded devices, or cloud infrastructure), this vulnerability poses a risk of system instability and denial of service due to kernel crashes. While it does not directly lead to privilege escalation or data leakage, the resulting kernel panic can disrupt critical services, causing downtime and potential loss of availability. Organizations running real-time or high-availability Linux environments could face significant operational impact. Additionally, the complexity and subtlety of the race condition make detection and mitigation challenging without applying patches. Systems exposed to untrusted users or processes capable of triggering timed message queue operations are at higher risk. Although no exploits are known, the vulnerability's presence in widely deployed Linux kernels means that attackers with local access could potentially induce crashes, impacting service continuity. For European sectors such as finance, healthcare, telecommunications, and critical infrastructure that depend on Linux stability, this vulnerability requires prompt attention to avoid service disruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47069 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations unable to patch immediately, consider restricting access to IPC message queue interfaces to trusted users only, minimizing exposure to untrusted local processes that could trigger the race. 3. Monitor system logs for kernel oops or panic messages related to wake_q_add_safe or IPC message queue operations to detect potential exploitation attempts or crashes. 4. Employ kernel live patching solutions where supported to apply fixes without requiring full system reboots, reducing downtime. 5. Conduct thorough testing of IPC-dependent applications and services after patching to ensure stability and correct operation. 6. Harden system configurations by limiting unnecessary IPC usage and isolating critical workloads using containerization or virtualization to contain potential crashes. 7. Maintain up-to-date backups and incident response plans to recover quickly from unexpected kernel crashes. 8. Collaborate with Linux distribution maintainers and security teams to track patch availability and deployment status.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2021-47069: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry do_mq_timedreceive calls wq_sleep with a stack local address. The sender (do_mq_timedsend) uses this address to later call pipelined_send. This leads to a very hard to trigger race where a do_mq_timedreceive call might return and leave do_mq_timedsend to rely on an invalid address, causing the following crash: RIP: 0010:wake_q_add_safe+0x13/0x60 Call Trace: __x64_sys_mq_timedsend+0x2a9/0x490 do_syscall_64+0x80/0x680 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5928e40343 The race occurs as: 1. do_mq_timedreceive calls wq_sleep with the address of `struct ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it holds a valid `struct ext_wait_queue *` as long as the stack has not been overwritten. 2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call __pipelined_op. 3. Sender calls __pipelined_op::smp_store_release(&this->state, STATE_READY). Here is where the race window begins. (`this` is `ewq_addr`.) 4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it will see `state == STATE_READY` and break. 5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's stack. (Although the address may not get overwritten until another function happens to touch it, which means it can persist around for an indefinite time.) 6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a `struct ext_wait_queue *`, and uses it to find a task_struct to pass to the wake_q_add_safe call. In the lucky case where nothing has overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct. In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a bogus address as the receiver's task_struct causing the crash. do_mq_timedsend::__pipelined_op() should not dereference `this` after setting STATE_READY, as the receiver counterpart is now free to return. Change __pipelined_op to call wake_q_add_safe on the receiver's task_struct returned by get_task_struct, instead of dereferencing `this` which sits on the receiver's stack. As Manfred pointed out, the race potentially also exists in ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix those in the same way.
AI-Powered Analysis
Technical Analysis
CVE-2021-47069 is a race condition vulnerability found in the Linux kernel's inter-process communication (IPC) mechanisms, specifically within the message queue (mqueue), message (msg), and semaphore (sem) subsystems. The flaw arises from improper handling of stack-allocated wait queue structures during timed message send and receive operations. The vulnerability occurs when the function do_mq_timedreceive calls wq_sleep with a pointer to a stack-local ext_wait_queue structure. This pointer is then added to a wait queue list and later accessed by the sender function do_mq_timedsend via __pipelined_op. The race condition manifests because after the receiver returns from do_mq_timedreceive, the stack memory containing the ext_wait_queue structure may be invalid or overwritten. However, the sender continues to dereference this stale pointer, potentially leading to use-after-free behavior and kernel crashes. Specifically, the crash occurs in wake_q_add_safe when the sender attempts to wake the receiver task using an invalid task_struct pointer derived from the stale ext_wait_queue. The root cause is that __pipelined_op dereferences the stack-based pointer after setting its state to STATE_READY, without ensuring the receiver has completed and the pointer remains valid. The fix involves modifying __pipelined_op to avoid dereferencing the stack pointer after signaling readiness, instead using a safely retrieved task_struct pointer. The vulnerability also affects similar IPC code paths in ipc/msg.c and ipc/sem.c, which have been fixed similarly. This is a subtle, hard-to-trigger race condition that can cause kernel panics or crashes, impacting system stability and availability. No known exploits are reported in the wild as of publication. The vulnerability affects Linux kernel versions containing the specified commit hashes prior to patching.
Potential Impact
For European organizations relying on Linux-based systems, especially those using IPC mechanisms extensively (e.g., servers, embedded devices, or cloud infrastructure), this vulnerability poses a risk of system instability and denial of service due to kernel crashes. While it does not directly lead to privilege escalation or data leakage, the resulting kernel panic can disrupt critical services, causing downtime and potential loss of availability. Organizations running real-time or high-availability Linux environments could face significant operational impact. Additionally, the complexity and subtlety of the race condition make detection and mitigation challenging without applying patches. Systems exposed to untrusted users or processes capable of triggering timed message queue operations are at higher risk. Although no exploits are known, the vulnerability's presence in widely deployed Linux kernels means that attackers with local access could potentially induce crashes, impacting service continuity. For European sectors such as finance, healthcare, telecommunications, and critical infrastructure that depend on Linux stability, this vulnerability requires prompt attention to avoid service disruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-47069 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations unable to patch immediately, consider restricting access to IPC message queue interfaces to trusted users only, minimizing exposure to untrusted local processes that could trigger the race. 3. Monitor system logs for kernel oops or panic messages related to wake_q_add_safe or IPC message queue operations to detect potential exploitation attempts or crashes. 4. Employ kernel live patching solutions where supported to apply fixes without requiring full system reboots, reducing downtime. 5. Conduct thorough testing of IPC-dependent applications and services after patching to ensure stability and correct operation. 6. Harden system configurations by limiting unnecessary IPC usage and isolating critical workloads using containerization or virtualization to contain potential crashes. 7. Maintain up-to-date backups and incident response plans to recover quickly from unexpected kernel crashes. 8. Collaborate with Linux distribution maintainers and security teams to track patch availability and deployment status.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-29T22:33:44.296Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9c27
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 8:43:14 PM
Last updated: 8/11/2025, 12:05:32 AM
Views: 9
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.