cve-2021-47304
Vulnerability from cvelistv5
Published
2024-05-21 14:35
Modified
2024-12-19 07:39
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized This commit fixes a bug (found by syzkaller) that could cause spurious double-initializations for congestion control modules, which could cause memory leaks or other problems for congestion control modules (like CDG) that allocate memory in their init functions. The buggy scenario constructed by syzkaller was something like: (1) create a TCP socket (2) initiate a TFO connect via sendto() (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION), which calls: tcp_set_congestion_control() -> tcp_reinit_congestion_control() -> tcp_init_congestion_control() (4) receive ACK, connection is established, call tcp_init_transfer(), set icsk_ca_initialized=0 (without first calling cc->release()), call tcp_init_congestion_control() again. Note that in this sequence tcp_init_congestion_control() is called twice without a cc->release() call in between. Thus, for CC modules that allocate memory in their init() function, e.g, CDG, a memory leak may occur. The syzkaller tool managed to find a reproducer that triggered such a leak in CDG. The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(), missing the possibility for a sequence like the one above, where a process could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()), which would call tcp_init_congestion_control(). It did not intend to reset any initialization that the user had already explicitly made; it just missed the possibility of that particular sequence (which syzkaller managed to find).
Impacted products
Vendor Product Version
Linux Linux Version: 5.10
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47304",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-21T15:35:43.044493Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:14:55.263Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:08.445Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ad4ba3404931745a5977ad12db4f0c34080e52f7",
              "status": "affected",
              "version": "8919a9b31eb4fb4c0a93e5fb350a626924302aa6",
              "versionType": "git"
            },
            {
              "lessThan": "fe77b85828ca9ddc42977b79de9e40d18545b4fe",
              "status": "affected",
              "version": "8919a9b31eb4fb4c0a93e5fb350a626924302aa6",
              "versionType": "git"
            },
            {
              "lessThan": "be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc",
              "status": "affected",
              "version": "8919a9b31eb4fb4c0a93e5fb350a626924302aa6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.53",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.13.*",
              "status": "unaffected",
              "version": "5.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\n\nThis commit fixes a bug (found by syzkaller) that could cause spurious\ndouble-initializations for congestion control modules, which could cause\nmemory leaks or other problems for congestion control modules (like CDG)\nthat allocate memory in their init functions.\n\nThe buggy scenario constructed by syzkaller was something like:\n\n(1) create a TCP socket\n(2) initiate a TFO connect via sendto()\n(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),\n    which calls:\n       tcp_set_congestion_control() -\u003e\n         tcp_reinit_congestion_control() -\u003e\n           tcp_init_congestion_control()\n(4) receive ACK, connection is established, call tcp_init_transfer(),\n    set icsk_ca_initialized=0 (without first calling cc-\u003erelease()),\n    call tcp_init_congestion_control() again.\n\nNote that in this sequence tcp_init_congestion_control() is called\ntwice without a cc-\u003erelease() call in between. Thus, for CC modules\nthat allocate memory in their init() function, e.g, CDG, a memory leak\nmay occur. The syzkaller tool managed to find a reproducer that\ntriggered such a leak in CDG.\n\nThe bug was introduced when that commit 8919a9b31eb4 (\"tcp: Only init\ncongestion control if not initialized already\")\nintroduced icsk_ca_initialized and set icsk_ca_initialized to 0 in\ntcp_init_transfer(), missing the possibility for a sequence like the\none above, where a process could call setsockopt(TCP_CONGESTION) in\nstate TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),\nwhich would call tcp_init_congestion_control(). It did not intend to\nreset any initialization that the user had already explicitly made;\nit just missed the possibility of that particular sequence (which\nsyzkaller managed to find)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:39:21.525Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc"
        }
      ],
      "title": "tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47304",
    "datePublished": "2024-05-21T14:35:24.670Z",
    "dateReserved": "2024-05-21T13:27:52.133Z",
    "dateUpdated": "2024-12-19T07:39:21.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47304\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T15:15:18.110\",\"lastModified\":\"2024-11-21T06:35:50.293\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\\n\\nThis commit fixes a bug (found by syzkaller) that could cause spurious\\ndouble-initializations for congestion control modules, which could cause\\nmemory leaks or other problems for congestion control modules (like CDG)\\nthat allocate memory in their init functions.\\n\\nThe buggy scenario constructed by syzkaller was something like:\\n\\n(1) create a TCP socket\\n(2) initiate a TFO connect via sendto()\\n(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),\\n    which calls:\\n       tcp_set_congestion_control() -\u003e\\n         tcp_reinit_congestion_control() -\u003e\\n           tcp_init_congestion_control()\\n(4) receive ACK, connection is established, call tcp_init_transfer(),\\n    set icsk_ca_initialized=0 (without first calling cc-\u003erelease()),\\n    call tcp_init_congestion_control() again.\\n\\nNote that in this sequence tcp_init_congestion_control() is called\\ntwice without a cc-\u003erelease() call in between. Thus, for CC modules\\nthat allocate memory in their init() function, e.g, CDG, a memory leak\\nmay occur. The syzkaller tool managed to find a reproducer that\\ntriggered such a leak in CDG.\\n\\nThe bug was introduced when that commit 8919a9b31eb4 (\\\"tcp: Only init\\ncongestion control if not initialized already\\\")\\nintroduced icsk_ca_initialized and set icsk_ca_initialized to 0 in\\ntcp_init_transfer(), missing the possibility for a sequence like the\\none above, where a process could call setsockopt(TCP_CONGESTION) in\\nstate TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),\\nwhich would call tcp_init_congestion_control(). It did not intend to\\nreset any initialization that the user had already explicitly made;\\nit just missed the possibility of that particular sequence (which\\nsyzkaller managed to find).\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: corrige tcp_init_transfer() para no restablecer icsk_ca_initialized Esta confirmaci\u00f3n corrige un error (encontrado por syzkaller) que podr\u00eda causar dobles inicializaciones falsas para los m\u00f3dulos de control de congesti\u00f3n, lo que podr\u00eda causar p\u00e9rdidas de memoria o Otros problemas para los m\u00f3dulos de control de congesti\u00f3n (como CDG) que asignan memoria en sus funciones de inicio. El escenario con errores construido por syzkaller era algo as\u00ed como: (1) crear un socket TCP (2) iniciar una conexi\u00f3n TFO a trav\u00e9s de sendto() (3) mientras el socket est\u00e1 en TCP_SYN_SENT, llamar a setsockopt(TCP_CONGESTION), que llama a: tcp_set_congestion_control() - \u0026gt; tcp_reinit_congestion_control() -\u0026gt; tcp_init_congestion_control() (4) recibe ACK, se establece la conexi\u00f3n, llama a tcp_init_transfer(), establece icsk_ca_initialized=0 (sin llamar primero a cc-\u0026gt;release()), llama a tcp_init_congestion_control() nuevamente. Tenga en cuenta que en esta secuencia tcp_init_congestion_control() se llama dos veces sin una llamada cc-\u0026gt;release() en el medio. Por lo tanto, para los m\u00f3dulos CC que asignan memoria en su funci\u00f3n init(), por ejemplo, CDG, puede ocurrir una p\u00e9rdida de memoria. La herramienta syzkaller logr\u00f3 encontrar un reproductor que desencaden\u00f3 dicha filtraci\u00f3n en CDG. El error se introdujo cuando la confirmaci\u00f3n 8919a9b31eb4 (\\\"tcp: solo inicia el control de congesti\u00f3n si a\u00fan no est\u00e1 inicializado\\\") introdujo icsk_ca_initialized y estableci\u00f3 icsk_ca_initialized en 0 en tcp_init_transfer(), perdiendo la posibilidad de una secuencia como la anterior, donde un proceso podr\u00eda llamar setsockopt(TCP_CONGESTION) en el estado TCP_SYN_SENT (es decir, despu\u00e9s de connect() o TFO open sendmsg()), que llamar\u00eda a tcp_init_congestion_control(). No ten\u00eda la intenci\u00f3n de restablecer ninguna inicializaci\u00f3n que el usuario ya hubiera realizado expl\u00edcitamente; simplemente perdi\u00f3 la posibilidad de esa secuencia particular (que Syzkaller logr\u00f3 encontrar).\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.