cve-2021-47448
Vulnerability from cvelistv5
Published
2024-05-22 06:19
Modified
2024-09-11 17:33
Severity
Summary
mptcp: fix possible stall on recvmsg()
References
SourceURLTags
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1a4554e94f0deff9fc1dc5addf93fa579cc29711
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/612f71d7328c14369924384ad2170aae2a6abd92
Impacted products
VendorProduct
LinuxLinux
LinuxLinux
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.611Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1a4554e94f0deff9fc1dc5addf93fa579cc29711"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/612f71d7328c14369924384ad2170aae2a6abd92"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47448",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:36:18.098656Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:26.764Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1a4554e94f0d",
              "status": "affected",
              "version": "7a6a6cbc3e59",
              "versionType": "git"
            },
            {
              "lessThan": "612f71d7328c",
              "status": "affected",
              "version": "7a6a6cbc3e59",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.14.*",
              "status": "unaffected",
              "version": "5.14.14",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible stall on recvmsg()\n\nrecvmsg() can enter an infinite loop if the caller provides the\nMSG_WAITALL, the data present in the receive queue is not sufficient to\nfulfill the request, and no more data is received by the peer.\n\nWhen the above happens, mptcp_wait_data() will always return with\nno wait, as the MPTCP_DATA_READY flag checked by such function is\nset and never cleared in such code path.\n\nLeveraging the above syzbot was able to trigger an RCU stall:\n\nrcu: INFO: rcu_preempt self-detected stall on CPU\nrcu:    0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1\n        (t=10500 jiffies g=13089 q=109)\nrcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) -\u003estate=0x0 -\u003ecpu=1\nrcu:    Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.\nrcu: RCU grace-period kthread stack dump:\ntask:rcu_preempt     state:R  running task     stack:28696 pid:   14 ppid:     2 flags:0x00004000\nCall Trace:\n context_switch kernel/sched/core.c:4955 [inline]\n __schedule+0x940/0x26f0 kernel/sched/core.c:6236\n schedule+0xd3/0x270 kernel/sched/core.c:6315\n schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881\n rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955\n rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128\n kthread+0x405/0x4f0 kernel/kthread.c:327\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\nrcu: Stack dump where RCU GP kthread last ran:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline]\nRIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]\nRIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]\nRIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]\nRIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]\nRIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189\nCode: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 \u003c48\u003e 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00\nRSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283\nRAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870\nRBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877\nR10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000\nR13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000\nFS:  0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n instrument_atomic_read_write include/linux/instrumented.h:101 [inline]\n test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline]\n mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016\n release_sock+0xb4/0x1b0 net/core/sock.c:3204\n mptcp_wait_data net/mptcp/protocol.c:1770 [inline]\n mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080\n inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659\n sock_recvmsg_nosec net/socket.c:944 [inline]\n ____sys_recvmsg+0x527/0x600 net/socket.c:2626\n ___sys_recvmsg+0x127/0x200 net/socket.c:2670\n do_recvmmsg+0x24d/0x6d0 net/socket.c:2764\n __sys_recvmmsg net/socket.c:2843 [inline]\n __do_sys_recvmmsg net/socket.c:2866 [inline]\n __se_sys_recvmmsg net/socket.c:2859 [inline]\n __x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc200d2\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T05:08:06.755Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1a4554e94f0deff9fc1dc5addf93fa579cc29711"
        },
        {
          "url": "https://git.kernel.org/stable/c/612f71d7328c14369924384ad2170aae2a6abd92"
        }
      ],
      "title": "mptcp: fix possible stall on recvmsg()",
      "x_generator": {
        "engine": "bippy-a5840b7849dd"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47448",
    "datePublished": "2024-05-22T06:19:40.141Z",
    "dateReserved": "2024-05-21T14:58:30.832Z",
    "dateUpdated": "2024-09-11T17:33:26.764Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47448\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-22T07:15:09.970\",\"lastModified\":\"2024-05-22T12:46:53.887\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: fix possible stall on recvmsg()\\n\\nrecvmsg() can enter an infinite loop if the caller provides the\\nMSG_WAITALL, the data present in the receive queue is not sufficient to\\nfulfill the request, and no more data is received by the peer.\\n\\nWhen the above happens, mptcp_wait_data() will always return with\\nno wait, as the MPTCP_DATA_READY flag checked by such function is\\nset and never cleared in such code path.\\n\\nLeveraging the above syzbot was able to trigger an RCU stall:\\n\\nrcu: INFO: rcu_preempt self-detected stall on CPU\\nrcu:    0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1\\n        (t=10500 jiffies g=13089 q=109)\\nrcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) -\u003estate=0x0 -\u003ecpu=1\\nrcu:    Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.\\nrcu: RCU grace-period kthread stack dump:\\ntask:rcu_preempt     state:R  running task     stack:28696 pid:   14 ppid:     2 flags:0x00004000\\nCall Trace:\\n context_switch kernel/sched/core.c:4955 [inline]\\n __schedule+0x940/0x26f0 kernel/sched/core.c:6236\\n schedule+0xd3/0x270 kernel/sched/core.c:6315\\n schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881\\n rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955\\n rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128\\n kthread+0x405/0x4f0 kernel/kthread.c:327\\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\\nrcu: Stack dump where RCU GP kthread last ran:\\nSending NMI from CPU 0 to CPUs 1:\\nNMI backtrace for cpu 1\\nCPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\\nRIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline]\\nRIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]\\nRIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]\\nRIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]\\nRIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]\\nRIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189\\nCode: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 \u003c48\u003e 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00\\nRSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283\\nRAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a\\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870\\nRBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877\\nR10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000\\nR13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000\\nFS:  0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\\nS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n instrument_atomic_read_write include/linux/instrumented.h:101 [inline]\\n test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline]\\n mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016\\n release_sock+0xb4/0x1b0 net/core/sock.c:3204\\n mptcp_wait_data net/mptcp/protocol.c:1770 [inline]\\n mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080\\n inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659\\n sock_recvmsg_nosec net/socket.c:944 [inline]\\n ____sys_recvmsg+0x527/0x600 net/socket.c:2626\\n ___sys_recvmsg+0x127/0x200 net/socket.c:2670\\n do_recvmmsg+0x24d/0x6d0 net/socket.c:2764\\n __sys_recvmmsg net/socket.c:2843 [inline]\\n __do_sys_recvmmsg net/socket.c:2866 [inline]\\n __se_sys_recvmmsg net/socket.c:2859 [inline]\\n __x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x44/0xae\\nRIP: 0033:0x7fc200d2\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: corrige posible bloqueo en recvmsg() recvmsg() puede entrar en un bucle infinito si la persona que llama proporciona MSG_WAITALL, los datos presentes en la cola de recepci\u00f3n no son suficientes para cumplir con la solicitud y el par no recibe m\u00e1s datos. Cuando sucede lo anterior, mptcp_wait_data() siempre regresar\u00e1 sin espera, ya que el indicador MPTCP_DATA_READY verificado por dicha funci\u00f3n se establece y nunca se borra en dicha ruta de c\u00f3digo. Aprovechar el syzbot anterior fue capaz de desencadenar una parada de RCU: rcu: INFO: rcu_preempt parada autodetectada en la CPU rcu: 0-...!: (10499 marca este GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1 (t=10500 jiffies g=13089 q=109) rcu: rcu_preempt \u00a1kthread se qued\u00f3 sin 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) -\u0026gt;state=0x0 -\u0026gt;cpu=1 rcu: A menos que rcu_preempt kthread obtenga suficiente tiempo de CPU, ahora se espera que OOM sea el comportamiento. rcu: Volcado de pila de kthread del per\u00edodo de gracia de RCU: tarea: rcu_preempt estado: R pila de tareas en ejecuci\u00f3n: 28696 pid: 14 ppid: 2 banderas: 0x00004000 Seguimiento de llamadas: context_switch kernel/sched/core.c:4955 [en l\u00ednea] __schedule+0x940/ 0x26f0 kernel/sched/core.c:6236 Schedule+0xd3/0x270 kernel/sched/core.c:6315 Schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881 rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c :1955 rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 rcu: Volcado de pila donde RCU \u00daltima ejecuci\u00f3n de GP kthread: Env\u00edo de NMI desde la CPU 0 a las CPU 1: seguimiento de NMI para la CPU 1 CPU: 1 PID: 8510 Comm: syz-executor827 No contaminado 5.15.0-rc2-next-20210920-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [en l\u00ednea] RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [en l\u00ednea] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [en l\u00ednea] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [en l\u00ednea] RIP: 0010:check_region_inline mm/kasan/generic.c:180 [en l\u00ednea] RIP : 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189 C\u00f3digo: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 \u0026lt;48\u0026gt; 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00 RSP: 0018:ffffc9000cd676c8 EFLAGS: 000283 RAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX : ffffffff88ea062a RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870 RBP: ffffed100e9a110e R08: 0000000000000001 R09: d08877 R10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000 R13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000 0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 S: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0 0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: instrument_atomic_ lectura_escritura incluye/linux/ instrumented.h:101 [en l\u00ednea] test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [en l\u00ednea] mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016 release_sock+0xb4/0x1b0 net/core/ sock.c:3204 mptcp_wait_data net/mptcp/protocol.c:1770 [en l\u00ednea] mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080 inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659 vmsg_nosec red/socket .c:944 [en l\u00ednea] ____sys_recvmsg+0x527/0x600 net/socket.c:2626 ___sys_recvmsg+0x127/0x200 net/socket.c:2670 do_recvmmsg+0x24d/0x6d0 net/socket.c:2764 net/socket.c: 2843 [en l\u00ednea] __do_sys_recvmmsg net/socket.c:2866 [en l\u00ednea] __se_sys_recvmmsg net/socket.c:2859 [en l\u00ednea] ---truncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1a4554e94f0deff9fc1dc5addf93fa579cc29711\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/612f71d7328c14369924384ad2170aae2a6abd92\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.