CVE-2021-47014
Vulnerability from cvelistv5
Published
2024-02-28 08:13
Modified
2024-12-19 07:33
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: fix wild memory access when clearing fragments
while testing re-assembly/re-fragmentation using act_ct, it's possible to
observe a crash like the following one:
KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]
CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424
Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017
RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0
Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48
RSP: 0018:ffff888c31449db8 EFLAGS: 00010203
RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960
RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e
RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350
R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000
R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160
FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
inet_frag_destroy+0xa9/0x150
call_timer_fn+0x2d/0x180
run_timer_softirq+0x4fe/0xe70
__do_softirq+0x197/0x5a0
irq_exit_rcu+0x1de/0x200
sysvec_apic_timer_interrupt+0x6b/0x80
</IRQ>
when act_ct temporarily stores an IP fragment, restoring the skb qdisc cb
results in putting random data in FRAG_CB(), and this causes those "wild"
memory accesses later, when the rbtree is purged. Never overwrite the skb
cb in case tcf_ct_handle_fragments() returns -EINPROGRESS.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:38.521Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0648941f4c8bbf8b4b6c0b270889ae7aa769b921" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f77bd544a6bbe69aa50d9ed09f13494cf36ff806" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-47014", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:58:12.683000Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:31.142Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/act_ct.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0648941f4c8bbf8b4b6c0b270889ae7aa769b921", "status": "affected", "version": "ae372cb1750f6c95370f92fe5f5620e0954663ba", "versionType": "git" }, { "lessThan": "f77bd544a6bbe69aa50d9ed09f13494cf36ff806", "status": "affected", "version": "ae372cb1750f6c95370f92fe5f5620e0954663ba", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/act_ct.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.8" }, { "lessThan": "5.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.4", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix wild memory access when clearing fragments\n\nwhile testing re-assembly/re-fragmentation using act_ct, it\u0027s possible to\nobserve a crash like the following one:\n\n KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]\n CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424\n Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\n RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0\n Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 \u003c42\u003e 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48\n RSP: 0018:ffff888c31449db8 EFLAGS: 00010203\n RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960\n RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e\n RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350\n R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000\n R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160\n FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cIRQ\u003e\n inet_frag_destroy+0xa9/0x150\n call_timer_fn+0x2d/0x180\n run_timer_softirq+0x4fe/0xe70\n __do_softirq+0x197/0x5a0\n irq_exit_rcu+0x1de/0x200\n sysvec_apic_timer_interrupt+0x6b/0x80\n \u003c/IRQ\u003e\n\nwhen act_ct temporarily stores an IP fragment, restoring the skb qdisc cb\nresults in putting random data in FRAG_CB(), and this causes those \"wild\"\nmemory accesses later, when the rbtree is purged. Never overwrite the skb\ncb in case tcf_ct_handle_fragments() returns -EINPROGRESS." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:33:37.174Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0648941f4c8bbf8b4b6c0b270889ae7aa769b921" }, { "url": "https://git.kernel.org/stable/c/f77bd544a6bbe69aa50d9ed09f13494cf36ff806" } ], "title": "net/sched: act_ct: fix wild memory access when clearing fragments", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47014", "datePublished": "2024-02-28T08:13:31.513Z", "dateReserved": "2024-02-27T18:42:55.953Z", "dateUpdated": "2024-12-19T07:33:37.174Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-47014\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-28T09:15:38.860\",\"lastModified\":\"2024-11-21T06:35:11.560\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: act_ct: fix wild memory access when clearing fragments\\n\\nwhile testing re-assembly/re-fragmentation using act_ct, it\u0027s possible to\\nobserve a crash like the following one:\\n\\n KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]\\n CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424\\n Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017\\n RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0\\n Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 \u003c42\u003e 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48\\n RSP: 0018:ffff888c31449db8 EFLAGS: 00010203\\n RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960\\n RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e\\n RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350\\n R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000\\n R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160\\n FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000\\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0\\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n Call Trace:\\n \u003cIRQ\u003e\\n inet_frag_destroy+0xa9/0x150\\n call_timer_fn+0x2d/0x180\\n run_timer_softirq+0x4fe/0xe70\\n __do_softirq+0x197/0x5a0\\n irq_exit_rcu+0x1de/0x200\\n sysvec_apic_timer_interrupt+0x6b/0x80\\n \u003c/IRQ\u003e\\n\\nwhen act_ct temporarily stores an IP fragment, restoring the skb qdisc cb\\nresults in putting random data in FRAG_CB(), and this causes those \\\"wild\\\"\\nmemory accesses later, when the rbtree is purged. Never overwrite the skb\\ncb in case tcf_ct_handle_fragments() returns -EINPROGRESS.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: act_ct: corrige el acceso salvaje a la memoria al borrar fragmentos mientras se prueba el reensamblaje/refragmentaci\u00f3n usando act_ct, es posible observar un bloqueo como el siguiente: KASAN: tal vez acceso a memoria salvaje en el rango [0x0001000000000448-0x000100000000044f] CPU: 50 PID: 0 Comunicaciones: swapper/50 Tainted: GS 5.12.0-rc7+ #424 Nombre de hardware: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01 /17/2017 RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0 C\u00f3digo: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 \u0026lt;42\u0026gt; 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48 RSP: 0018:ffff888c31449db8 EFLAGS: 00010203 RAX: 00 00200000000089 RBX: 000100000000040e RCX: ffffffff989eb960 RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e RBP: 0000000000000900 R08: 00000000000000000 R09: ffffed1186289350 R10: 00000000 00000003 R11: ffffed1186289350 R12: dffffc0000000000 R13: 000100000000040e R14: 00000000000000000 R15: ffff888155e02160 FS: 00000000000000000 (0000) GS:ffff888c31440000(0000) knlGS:0000000000000000 CS : 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0 000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000000400 Seguimiento de llamadas: inet_frag_destroy+0xa9/0x150 call_timer_fn +0x2d/0x180 run_timer_softirq+0x4fe/0xe70 __do_softirq+0x197/0x5a0 irq_exit_rcu+0x1de/0x200 sysvec_apic_timer_interrupt+0x6b/0x80 cuando act_ct almacena temporalmente un fragmento de IP, la restauraci\u00f3n de skb qdisc cb da como resultado la colocaci\u00f3n de datos aleatorios en FR AG_CB() , y esto provoca esos accesos a la memoria \\\"salvajes\\\" m\u00e1s adelante, cuando se purga el rbtree. Nunca sobrescriba el skb cb en caso de que tcf_ct_handle_fragments() devuelva -EINPROGRESS.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0648941f4c8bbf8b4b6c0b270889ae7aa769b921\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f77bd544a6bbe69aa50d9ed09f13494cf36ff806\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0648941f4c8bbf8b4b6c0b270889ae7aa769b921\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f77bd544a6bbe69aa50d9ed09f13494cf36ff806\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.