CVE-2021-47099
Vulnerability from cvelistv5
Published
2024-03-04 18:10
Modified
2024-11-04 11:59
Summary
veth: ensure skb entering GRO are not cloned.
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-47099",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-12T14:24:44.909749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-31T14:56:58.471Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:24:39.924Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d2269ae48598e05b59ec9ea9e6e44fd33941130d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9695b7de5b4760ed22132aca919570c0190cb0ce"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/veth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d2269ae48598",
              "status": "affected",
              "version": "d3256efd8e8b",
              "versionType": "git"
            },
            {
              "lessThan": "9695b7de5b47",
              "status": "affected",
              "version": "d3256efd8e8b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/veth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: ensure skb entering GRO are not cloned.\n\nAfter commit d3256efd8e8b (\"veth: allow enabling NAPI even without XDP\"),\nif GRO is enabled on a veth device and TSO is disabled on the peer\ndevice, TCP skbs will go through the NAPI callback. If there is no XDP\nprogram attached, the veth code does not perform any share check, and\nshared/cloned skbs could enter the GRO engine.\n\nIgnat reported a BUG triggered later-on due to the above condition:\n\n[   53.970529][    C1] kernel BUG at net/core/skbuff.c:3574!\n[   53.981755][    C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n[   53.982634][    C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25\n[   53.982634][    C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n[   53.982634][    C1] RIP: 0010:skb_shift+0x13ef/0x23b0\n[   53.982634][    C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0\n7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f\n85 74 f5 ff ff \u003c0f\u003e 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89\nf7 4c 89 8c\n[   53.982634][    C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246\n[   53.982634][    C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000\n[   53.982634][    C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2\n[   53.982634][    C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0\n[   53.982634][    C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590\n[   53.982634][    C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0\n[   53.982634][    C1] FS:  0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000\n[   53.982634][    C1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   53.982634][    C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0\n[   53.982634][    C1] Call Trace:\n[   53.982634][    C1]  \u003cTASK\u003e\n[   53.982634][    C1]  tcp_sacktag_walk+0xaba/0x18e0\n[   53.982634][    C1]  tcp_sacktag_write_queue+0xe7b/0x3460\n[   53.982634][    C1]  tcp_ack+0x2666/0x54b0\n[   53.982634][    C1]  tcp_rcv_established+0x4d9/0x20f0\n[   53.982634][    C1]  tcp_v4_do_rcv+0x551/0x810\n[   53.982634][    C1]  tcp_v4_rcv+0x22ed/0x2ed0\n[   53.982634][    C1]  ip_protocol_deliver_rcu+0x96/0xaf0\n[   53.982634][    C1]  ip_local_deliver_finish+0x1e0/0x2f0\n[   53.982634][    C1]  ip_sublist_rcv_finish+0x211/0x440\n[   53.982634][    C1]  ip_list_rcv_finish.constprop.0+0x424/0x660\n[   53.982634][    C1]  ip_list_rcv+0x2c8/0x410\n[   53.982634][    C1]  __netif_receive_skb_list_core+0x65c/0x910\n[   53.982634][    C1]  netif_receive_skb_list_internal+0x5f9/0xcb0\n[   53.982634][    C1]  napi_complete_done+0x188/0x6e0\n[   53.982634][    C1]  gro_cell_poll+0x10c/0x1d0\n[   53.982634][    C1]  __napi_poll+0xa1/0x530\n[   53.982634][    C1]  net_rx_action+0x567/0x1270\n[   53.982634][    C1]  __do_softirq+0x28a/0x9ba\n[   53.982634][    C1]  run_ksoftirqd+0x32/0x60\n[   53.982634][    C1]  smpboot_thread_fn+0x559/0x8c0\n[   53.982634][    C1]  kthread+0x3b9/0x490\n[   53.982634][    C1]  ret_from_fork+0x22/0x30\n[   53.982634][    C1]  \u003c/TASK\u003e\n\nAddress the issue by skipping the GRO stage for shared or cloned skbs.\nTo reduce the chance of OoO, try to unclone the skbs before giving up.\n\nv1 -\u003e v2:\n - use avoid skb_copy and fallback to netif_receive_skb  - Eric"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T11:59:23.367Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d2269ae48598e05b59ec9ea9e6e44fd33941130d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9695b7de5b4760ed22132aca919570c0190cb0ce"
        }
      ],
      "title": "veth: ensure skb entering GRO are not cloned.",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47099",
    "datePublished": "2024-03-04T18:10:51.200Z",
    "dateReserved": "2024-02-29T22:33:44.301Z",
    "dateUpdated": "2024-11-04T11:59:23.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47099\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-04T18:15:08.153\",\"lastModified\":\"2024-10-31T15:35:02.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nveth: ensure skb entering GRO are not cloned.\\n\\nAfter commit d3256efd8e8b (\\\"veth: allow enabling NAPI even without XDP\\\"),\\nif GRO is enabled on a veth device and TSO is disabled on the peer\\ndevice, TCP skbs will go through the NAPI callback. If there is no XDP\\nprogram attached, the veth code does not perform any share check, and\\nshared/cloned skbs could enter the GRO engine.\\n\\nIgnat reported a BUG triggered later-on due to the above condition:\\n\\n[   53.970529][    C1] kernel BUG at net/core/skbuff.c:3574!\\n[   53.981755][    C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\\n[   53.982634][    C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25\\n[   53.982634][    C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\\n[   53.982634][    C1] RIP: 0010:skb_shift+0x13ef/0x23b0\\n[   53.982634][    C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0\\n7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f\\n85 74 f5 ff ff \u003c0f\u003e 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89\\nf7 4c 89 8c\\n[   53.982634][    C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246\\n[   53.982634][    C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000\\n[   53.982634][    C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2\\n[   53.982634][    C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0\\n[   53.982634][    C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590\\n[   53.982634][    C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0\\n[   53.982634][    C1] FS:  0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000\\n[   53.982634][    C1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[   53.982634][    C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0\\n[   53.982634][    C1] Call Trace:\\n[   53.982634][    C1]  \u003cTASK\u003e\\n[   53.982634][    C1]  tcp_sacktag_walk+0xaba/0x18e0\\n[   53.982634][    C1]  tcp_sacktag_write_queue+0xe7b/0x3460\\n[   53.982634][    C1]  tcp_ack+0x2666/0x54b0\\n[   53.982634][    C1]  tcp_rcv_established+0x4d9/0x20f0\\n[   53.982634][    C1]  tcp_v4_do_rcv+0x551/0x810\\n[   53.982634][    C1]  tcp_v4_rcv+0x22ed/0x2ed0\\n[   53.982634][    C1]  ip_protocol_deliver_rcu+0x96/0xaf0\\n[   53.982634][    C1]  ip_local_deliver_finish+0x1e0/0x2f0\\n[   53.982634][    C1]  ip_sublist_rcv_finish+0x211/0x440\\n[   53.982634][    C1]  ip_list_rcv_finish.constprop.0+0x424/0x660\\n[   53.982634][    C1]  ip_list_rcv+0x2c8/0x410\\n[   53.982634][    C1]  __netif_receive_skb_list_core+0x65c/0x910\\n[   53.982634][    C1]  netif_receive_skb_list_internal+0x5f9/0xcb0\\n[   53.982634][    C1]  napi_complete_done+0x188/0x6e0\\n[   53.982634][    C1]  gro_cell_poll+0x10c/0x1d0\\n[   53.982634][    C1]  __napi_poll+0xa1/0x530\\n[   53.982634][    C1]  net_rx_action+0x567/0x1270\\n[   53.982634][    C1]  __do_softirq+0x28a/0x9ba\\n[   53.982634][    C1]  run_ksoftirqd+0x32/0x60\\n[   53.982634][    C1]  smpboot_thread_fn+0x559/0x8c0\\n[   53.982634][    C1]  kthread+0x3b9/0x490\\n[   53.982634][    C1]  ret_from_fork+0x22/0x30\\n[   53.982634][    C1]  \u003c/TASK\u003e\\n\\nAddress the issue by skipping the GRO stage for shared or cloned skbs.\\nTo reduce the chance of OoO, try to unclone the skbs before giving up.\\n\\nv1 -\u003e v2:\\n - use avoid skb_copy and fallback to netif_receive_skb  - Eric\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: veth: aseg\u00farese de que los skb que ingresan a GRO no est\u00e9n clonados. Despu\u00e9s de confirmar d3256efd8e8b (\\\"veth: permitir habilitar NAPI incluso sin XDP\\\"), si GRO est\u00e1 habilitado en un dispositivo veth y TSO est\u00e1 deshabilitado en el dispositivo par, los skbs TCP pasar\u00e1n por la devoluci\u00f3n de llamada de NAPI. Si no hay ning\u00fan programa XDP adjunto, el c\u00f3digo veth no realiza ninguna verificaci\u00f3n compartida y los skbs compartidos/clonados podr\u00edan ingresar al motor GRO. Ignat inform\u00f3 de un ERROR que se activ\u00f3 m\u00e1s tarde debido a la condici\u00f3n anterior: [53.970529][C1] ERROR del kernel en net/core/skbuff.c:3574. [ 53.981755][ C1] c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP KASAN PTI [ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 No contaminado 5.16.0-rc5+ #25 [ 53.982634][ C1] Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 0.0.0 06/02/2015 [ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0 [ 53.982634][ C1] C\u00f3digo: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f 85 74 f5 ff ff \u0026lt;0f\u0026gt; 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89 f7 4c 89 8c [ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246 [ 53.982634][ C1] RAX: 0000000000000000000000 RB X: ffff8881180b4c80 RCX: 0000000000000000 [ 53.982634][ C1] RDX: 00000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2 [ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0 [ 53.982634][ C1] R10: ff ffed1022999e5c R11: 0000000000000002 R12: 0000000000000590 [ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0 [ 53.982634][ C1] FS: 00000000000000000(0000) GS:ffff888235880000(0000) knlGS:00000000000000000 [ 53.982634][ C1] CS: 0010 DS: 00 00 ES: 0000 CR0: 0000000080050033 [ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3 : 0000000108ce8004 CR4: 0000000000170ee0 [ 53.982634][ C1] Seguimiento de llamadas: [ 53.982634][ C1]  [ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0 [ 53.982634][ C1] t cp_sacktag_write_queue+0xe7b/0x3460 [ 53.982634][ C1 ] tcp_ack+0x2666/0x54b0 [ 53.982634][ C1] tcp_rcv_establecido+0x4d9/0x20f0 [ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810 [ 53.982634][ C1] tcp_v4_rcv+0x 22ed/0x2ed0 [ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0 [ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0 [ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440 [ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660 [ 53.9 82634][C1] ip_list_rcv+0x2c8/0x410 [ 53.982634 ][ C1] __netif_receive_skb_list_core+0x65c/0x910 [ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0 [ 53.982634][ C1] napi_complete_done+0x188/0x6e0 [ 53.982634][ C1] gro_cell_ encuesta+0x10c/0x1d0 [ 53.982634][ C1] __napi_poll+ 0xa1/0x530 [ 53.982634][ C1] net_rx_action+0x567/0x1270 [ 53.982634][ C1] __do_softirq+0x28a/0x9ba [ 53.982634][ C1] run_ksoftirqd+0x32/0x60 [ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0 [53.982634] [ C1] kthread+0x3b9/0x490 [ 53.982634][ C1] ret_from_fork+0x22/0x30 [ 53.982634][ C1]  Solucione el problema omitiendo la etapa GRO para skbs compartidos o clonados. Para reducir la posibilidad de OoO, intente desbloquear los skbs antes de darse por vencido. v1 -\u0026gt; v2: - use evitar skb_copy y recurra a netif_receive_skb - Eric\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.8,\"impactScore\":5.2}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/9695b7de5b4760ed22132aca919570c0190cb0ce\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d2269ae48598e05b59ec9ea9e6e44fd33941130d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.