cve-2021-47136
Vulnerability from cvelistv5
Published
2024-03-25 09:07
Modified
2024-11-04 12:00
Severity ?
EPSS score ?
Summary
net: zero-initialize tc skb extension on allocation
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:40.228Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ac493452e937b8939eaf2d24cac51a4804b6c20e" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/86ab133b695ed7ba1f8786b12f4ca43137ad8c18" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/9453d45ecb6c2199d72e73c993e9d98677a2801b" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-47136", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T15:55:03.662373Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:16.207Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c", "drivers/net/ethernet/mellanox/mlx5/core/en_tc.c", "include/net/pkt_cls.h", "net/sched/cls_api.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ac493452e937", "status": "affected", "version": "038ebb1a713d", "versionType": "git" }, { "lessThan": "86ab133b695e", "status": "affected", "version": "038ebb1a713d", "versionType": "git" }, { "lessThan": "9453d45ecb6c", "status": "affected", "version": "038ebb1a713d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c", "drivers/net/ethernet/mellanox/mlx5/core/en_tc.c", "include/net/pkt_cls.h", "net/sched/cls_api.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.9" }, { "lessThan": "5.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.42", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: zero-initialize tc skb extension on allocation\n\nFunction skb_ext_add() doesn\u0027t initialize created skb extension with any\nvalue and leaves it up to the user. However, since extension of type\nTC_SKB_EXT originally contained only single value tc_skb_ext-\u003echain its\nusers used to just assign the chain value without setting whole extension\nmemory to zero first. This assumption changed when TC_SKB_EXT extension was\nextended with additional fields but not all users were updated to\ninitialize the new fields which leads to use of uninitialized memory\nafterwards. UBSAN log:\n\n[ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28\n[ 778.301495] load of value 107 is not a valid value for type \u0027_Bool\u0027\n[ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2\n[ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 778.307901] Call Trace:\n[ 778.308680] \u003cIRQ\u003e\n[ 778.309358] dump_stack+0xbb/0x107\n[ 778.310307] ubsan_epilogue+0x5/0x40\n[ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48\n[ 778.312454] ? memset+0x20/0x40\n[ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch]\n[ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch]\n[ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch]\n[ 778.317188] ? create_prof_cpu_mask+0x20/0x20\n[ 778.318220] ? arch_stack_walk+0x82/0xf0\n[ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb\n[ 778.320399] ? stack_trace_save+0x91/0xc0\n[ 778.321362] ? stack_trace_consume_entry+0x160/0x160\n[ 778.322517] ? lock_release+0x52e/0x760\n[ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch]\n[ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch]\n[ 778.325950] __netif_receive_skb_core+0x771/0x2db0\n[ 778.327067] ? lock_downgrade+0x6e0/0x6f0\n[ 778.328021] ? lock_acquire+0x565/0x720\n[ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0\n[ 778.329902] ? inet_gro_receive+0x2a7/0x10a0\n[ 778.330914] ? lock_downgrade+0x6f0/0x6f0\n[ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0\n[ 778.332876] ? lock_release+0x52e/0x760\n[ 778.333808] ? dev_gro_receive+0xcc8/0x2380\n[ 778.334810] ? lock_downgrade+0x6f0/0x6f0\n[ 778.335769] __netif_receive_skb_list_core+0x295/0x820\n[ 778.336955] ? process_backlog+0x780/0x780\n[ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core]\n[ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0\n[ 778.341033] ? kvm_clock_get_cycles+0x14/0x20\n[ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0\n[ 778.343288] ? __kasan_kmalloc+0x7a/0x90\n[ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core]\n[ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core]\n[ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820\n[ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core]\n[ 778.349688] ? napi_gro_flush+0x26c/0x3c0\n[ 778.350641] napi_complete_done+0x188/0x6b0\n[ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core]\n[ 778.352853] __napi_poll+0x9f/0x510\n[ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core]\n[ 778.355158] net_rx_action+0x34c/0xa40\n[ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0\n[ 778.357083] ? sched_clock_cpu+0x18/0x190\n[ 778.358041] ? __common_interrupt+0x8e/0x1a0\n[ 778.359045] __do_softirq+0x1ce/0x984\n[ 778.359938] __irq_exit_rcu+0x137/0x1d0\n[ 778.360865] irq_exit_rcu+0xa/0x20\n[ 778.361708] common_interrupt+0x80/0xa0\n[ 778.362640] \u003c/IRQ\u003e\n[ 778.363212] asm_common_interrupt+0x1e/0x40\n[ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10\n[ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 \u003cc3\u003e 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00\n[ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246\n[ 778.370570] RAX\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-11-04T12:00:10.759Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ac493452e937b8939eaf2d24cac51a4804b6c20e" }, { "url": "https://git.kernel.org/stable/c/86ab133b695ed7ba1f8786b12f4ca43137ad8c18" }, { "url": "https://git.kernel.org/stable/c/9453d45ecb6c2199d72e73c993e9d98677a2801b" } ], "title": "net: zero-initialize tc skb extension on allocation", "x_generator": { "engine": "bippy-9e1c9544281a" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47136", "datePublished": "2024-03-25T09:07:36.064Z", "dateReserved": "2024-03-04T18:12:48.840Z", "dateUpdated": "2024-11-04T12:00:10.759Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-47136\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-25T09:15:07.970\",\"lastModified\":\"2024-03-25T13:47:14.087\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: zero-initialize tc skb extension on allocation\\n\\nFunction skb_ext_add() doesn\u0027t initialize created skb extension with any\\nvalue and leaves it up to the user. However, since extension of type\\nTC_SKB_EXT originally contained only single value tc_skb_ext-\u003echain its\\nusers used to just assign the chain value without setting whole extension\\nmemory to zero first. This assumption changed when TC_SKB_EXT extension was\\nextended with additional fields but not all users were updated to\\ninitialize the new fields which leads to use of uninitialized memory\\nafterwards. UBSAN log:\\n\\n[ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28\\n[ 778.301495] load of value 107 is not a valid value for type \u0027_Bool\u0027\\n[ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2\\n[ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n[ 778.307901] Call Trace:\\n[ 778.308680] \u003cIRQ\u003e\\n[ 778.309358] dump_stack+0xbb/0x107\\n[ 778.310307] ubsan_epilogue+0x5/0x40\\n[ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48\\n[ 778.312454] ? memset+0x20/0x40\\n[ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch]\\n[ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch]\\n[ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch]\\n[ 778.317188] ? create_prof_cpu_mask+0x20/0x20\\n[ 778.318220] ? arch_stack_walk+0x82/0xf0\\n[ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb\\n[ 778.320399] ? stack_trace_save+0x91/0xc0\\n[ 778.321362] ? stack_trace_consume_entry+0x160/0x160\\n[ 778.322517] ? lock_release+0x52e/0x760\\n[ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch]\\n[ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch]\\n[ 778.325950] __netif_receive_skb_core+0x771/0x2db0\\n[ 778.327067] ? lock_downgrade+0x6e0/0x6f0\\n[ 778.328021] ? lock_acquire+0x565/0x720\\n[ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0\\n[ 778.329902] ? inet_gro_receive+0x2a7/0x10a0\\n[ 778.330914] ? lock_downgrade+0x6f0/0x6f0\\n[ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0\\n[ 778.332876] ? lock_release+0x52e/0x760\\n[ 778.333808] ? dev_gro_receive+0xcc8/0x2380\\n[ 778.334810] ? lock_downgrade+0x6f0/0x6f0\\n[ 778.335769] __netif_receive_skb_list_core+0x295/0x820\\n[ 778.336955] ? process_backlog+0x780/0x780\\n[ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core]\\n[ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0\\n[ 778.341033] ? kvm_clock_get_cycles+0x14/0x20\\n[ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0\\n[ 778.343288] ? __kasan_kmalloc+0x7a/0x90\\n[ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core]\\n[ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core]\\n[ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820\\n[ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core]\\n[ 778.349688] ? napi_gro_flush+0x26c/0x3c0\\n[ 778.350641] napi_complete_done+0x188/0x6b0\\n[ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core]\\n[ 778.352853] __napi_poll+0x9f/0x510\\n[ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core]\\n[ 778.355158] net_rx_action+0x34c/0xa40\\n[ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0\\n[ 778.357083] ? sched_clock_cpu+0x18/0x190\\n[ 778.358041] ? __common_interrupt+0x8e/0x1a0\\n[ 778.359045] __do_softirq+0x1ce/0x984\\n[ 778.359938] __irq_exit_rcu+0x137/0x1d0\\n[ 778.360865] irq_exit_rcu+0xa/0x20\\n[ 778.361708] common_interrupt+0x80/0xa0\\n[ 778.362640] \u003c/IRQ\u003e\\n[ 778.363212] asm_common_interrupt+0x1e/0x40\\n[ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10\\n[ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 \u003cc3\u003e 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00\\n[ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246\\n[ 778.370570] RAX\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: inicializaci\u00f3n cero de la extensi\u00f3n tc skb en la asignaci\u00f3n La funci\u00f3n skb_ext_add() no inicializa la extensi\u00f3n skb creada con ning\u00fan valor y lo deja en manos del usuario. Sin embargo, dado que la extensi\u00f3n de tipo TC_SKB_EXT originalmente conten\u00eda solo un valor \u00fanico tc_skb_ext-\u0026gt;chain, sus usuarios sol\u00edan asignar simplemente el valor de la cadena sin establecer primero toda la memoria de extensi\u00f3n en cero. Esta suposici\u00f3n cambi\u00f3 cuando la extensi\u00f3n TC_SKB_EXT se ampli\u00f3 con campos adicionales, pero no todos los usuarios se actualizaron para inicializar los nuevos campos, lo que lleva al uso de memoria no inicializada posteriormente. Registro de UBSAN: [778.299821] UBSAN: carga no v\u00e1lida en net/openvswitch/flow.c:899:28 [778.301495] la carga del valor 107 no es un valor v\u00e1lido para el tipo \u0027_Bool\u0027 [778.303215] CPU: 0 PID: 0 Comm : swapper/0 Not tainted 5.12.0-rc7+ #2 [ 778.304933] Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/ 2014 [778.307901] Seguimiento de llamadas: [778.308680] [778.309358] dump_stack+0xbb/0x107 [778.310307] ubsan_epilogue+0x5/0x40 [778.311167] __ubsan_handle_load_invalid_value.col d+0x43/0x48 [778.312454]? memset+0x20/0x40 [778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch] [778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch] [778.315749]? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch] [778.317188]? create_prof_cpu_mask+0x20/0x20 [778.318220]? arch_stack_walk+0x82/0xf0 [778.319153]? second_startup_64_no_verify+0xb0/0xbb [778.320399]? stack_trace_save+0x91/0xc0 [778.321362]? stack_trace_consume_entry+0x160/0x160 [778.322517]? lock_release+0x52e/0x760 [778.323444] netdev_frame_hook+0x323/0x610 [openvswitch] [778.324668]? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch] [778.325950] __netif_receive_skb_core+0x771/0x2db0 [778.327067]? lock_downgrade+0x6e0/0x6f0 [778.328021]? lock_acquire+0x565/0x720 [778.328940]? generic_xdp_tx+0x4f0/0x4f0 [778.329902]? inet_gro_receive+0x2a7/0x10a0 [778.330914]? lock_downgrade+0x6f0/0x6f0 [778.331867]? udp4_gro_receive+0x4c4/0x13e0 [778.332876]? lock_release+0x52e/0x760 [778.333808]? dev_gro_receive+0xcc8/0x2380 [778.334810]? lock_downgrade+0x6f0/0x6f0 [ 778.335769] __netif_receive_skb_list_core+0x295/0x820 [ 778.336955] ? proceso_backlog+0x780/0x780 [778.337941]? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core] [778.339613]? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0 [778.341033]? kvm_clock_get_cycles+0x14/0x20 [ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0 [ 778.343288] ? __kasan_kmalloc+0x7a/0x90 [778.344234]? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core] [778.345676]? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core] [778.347140]? __netif_receive_skb_list_core+0x820/0x820 [778.348351]? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core] [778.349688]? napi_gro_flush+0x26c/0x3c0 [ 778.350641] napi_complete_done+0x188/0x6b0 [ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core] [ 778.352853] __napi_poll+0x9f/0x510 [778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core] [778.355158] net_rx_action+0x34c/0xa40 [778.356060]? napi_threaded_poll+0x3d0/0x3d0 [778.357083]? sched_clock_cpu+0x18/0x190 [778.358041]? __common_interrupt+0x8e/0x1a0 [ 778.359045] __do_softirq+0x1ce/0x984 [ 778.359938] __irq_exit_rcu+0x137/0x1d0 [ 778.360865] irq_exit_rcu+0xa/0x20 [ 778.36170 8] interrupci\u00f3n_com\u00fan+0x80/0xa0 [ 778.362640] [ 778.363212] asm_interrupci\u00f3n_com\u00fan+0x1e /0x40 [ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10 [ 778.365273] C\u00f3digo: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e 9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00 [ 778.369355] RSP: 0018:ffffffff84407 e48 EFLAGS: 00000246 [778.370570] RAX ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/86ab133b695ed7ba1f8786b12f4ca43137ad8c18\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9453d45ecb6c2199d72e73c993e9d98677a2801b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ac493452e937b8939eaf2d24cac51a4804b6c20e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.