cve-2021-47451
Vulnerability from cvelistv5
Published
2024-05-22 06:19
Modified
2024-12-19 07:42
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Currently, when the rule related to IDLETIMER is added, idletimer_tg timer structure is initialized by kmalloc on executing idletimer_tg_create function. However, in this process timer->timer_type is not defined to a specific value. Thus, timer->timer_type has garbage value and it occurs kernel panic. So, this commit fixes the panic by initializing timer->timer_type using kzalloc instead of kmalloc. Test commands: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed Splat looks like: BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70 Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] dev_attr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? device_remove_bin_file+0x20/0x20 kernfs_seq_show+0xa4/0xb0 seq_read_iter+0x29c/0x750 kernfs_fop_read_iter+0x25a/0x2c0 ? __fsnotify_parent+0x3d1/0x570 ? iov_iter_init+0x70/0x90 new_sync_read+0x2a7/0x3d0 ? __x64_sys_llseek+0x230/0x230 ? rw_verify_area+0x81/0x150 vfs_read+0x17b/0x240 ksys_read+0xd9/0x180 ? vfs_write+0x460/0x460 ? do_syscall_64+0x16/0xc0 ? lockdep_hardirqs_on+0x79/0x120 __x64_sys_read+0x43/0x50 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
Impacted products
Vendor Product Version
Linux Linux Version: 5.7
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47451",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-24T19:25:32.208577Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:14:53.967Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.385Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a670c323055282c9b72794a491d53cef86bbeaf",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "cae7cab804c943d723d52724a3aeb07a3f4a2650",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "902c0b1887522a099aa4e1e6b4b476c2fe5dd13e",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.14.*",
              "status": "unaffected",
              "version": "5.14.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\n\nCurrently, when the rule related to IDLETIMER is added, idletimer_tg timer\nstructure is initialized by kmalloc on executing idletimer_tg_create\nfunction. However, in this process timer-\u003etimer_type is not defined to\na specific value. Thus, timer-\u003etimer_type has garbage value and it occurs\nkernel panic. So, this commit fixes the panic by initializing\ntimer-\u003etimer_type using kzalloc instead of kmalloc.\n\nTest commands:\n    # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test\n    $ cat /sys/class/xt_idletimer/timers/test\n      Killed\n\nSplat looks like:\n    BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70\n    Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917\n    CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n    Call Trace:\n     dump_stack_lvl+0x6e/0x9c\n     kasan_report.cold+0x112/0x117\n     ? alarm_expires_remaining+0x49/0x70\n     __asan_load8+0x86/0xb0\n     alarm_expires_remaining+0x49/0x70\n     idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]\n     dev_attr_show+0x3c/0x60\n     sysfs_kf_seq_show+0x11d/0x1f0\n     ? device_remove_bin_file+0x20/0x20\n     kernfs_seq_show+0xa4/0xb0\n     seq_read_iter+0x29c/0x750\n     kernfs_fop_read_iter+0x25a/0x2c0\n     ? __fsnotify_parent+0x3d1/0x570\n     ? iov_iter_init+0x70/0x90\n     new_sync_read+0x2a7/0x3d0\n     ? __x64_sys_llseek+0x230/0x230\n     ? rw_verify_area+0x81/0x150\n     vfs_read+0x17b/0x240\n     ksys_read+0xd9/0x180\n     ? vfs_write+0x460/0x460\n     ? do_syscall_64+0x16/0xc0\n     ? lockdep_hardirqs_on+0x79/0x120\n     __x64_sys_read+0x43/0x50\n     do_syscall_64+0x3b/0xc0\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n    RIP: 0033:0x7f0cdc819142\n    Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n    RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n    RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142\n    RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003\n    RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000\n    R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0\n    R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:42:33.601Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf"
        },
        {
          "url": "https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650"
        },
        {
          "url": "https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e"
        }
      ],
      "title": "netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47451",
    "datePublished": "2024-05-22T06:19:42.082Z",
    "dateReserved": "2024-05-21T14:58:30.832Z",
    "dateUpdated": "2024-12-19T07:42:33.601Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47451\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-22T07:15:10.220\",\"lastModified\":\"2024-11-21T06:36:10.437\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\\n\\nCurrently, when the rule related to IDLETIMER is added, idletimer_tg timer\\nstructure is initialized by kmalloc on executing idletimer_tg_create\\nfunction. However, in this process timer-\u003etimer_type is not defined to\\na specific value. Thus, timer-\u003etimer_type has garbage value and it occurs\\nkernel panic. So, this commit fixes the panic by initializing\\ntimer-\u003etimer_type using kzalloc instead of kmalloc.\\n\\nTest commands:\\n    # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test\\n    $ cat /sys/class/xt_idletimer/timers/test\\n      Killed\\n\\nSplat looks like:\\n    BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70\\n    Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917\\n    CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e\\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\\n    Call Trace:\\n     dump_stack_lvl+0x6e/0x9c\\n     kasan_report.cold+0x112/0x117\\n     ? alarm_expires_remaining+0x49/0x70\\n     __asan_load8+0x86/0xb0\\n     alarm_expires_remaining+0x49/0x70\\n     idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]\\n     dev_attr_show+0x3c/0x60\\n     sysfs_kf_seq_show+0x11d/0x1f0\\n     ? device_remove_bin_file+0x20/0x20\\n     kernfs_seq_show+0xa4/0xb0\\n     seq_read_iter+0x29c/0x750\\n     kernfs_fop_read_iter+0x25a/0x2c0\\n     ? __fsnotify_parent+0x3d1/0x570\\n     ? iov_iter_init+0x70/0x90\\n     new_sync_read+0x2a7/0x3d0\\n     ? __x64_sys_llseek+0x230/0x230\\n     ? rw_verify_area+0x81/0x150\\n     vfs_read+0x17b/0x240\\n     ksys_read+0xd9/0x180\\n     ? vfs_write+0x460/0x460\\n     ? do_syscall_64+0x16/0xc0\\n     ? lockdep_hardirqs_on+0x79/0x120\\n     __x64_sys_read+0x43/0x50\\n     do_syscall_64+0x3b/0xc0\\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\\n    RIP: 0033:0x7f0cdc819142\\n    Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\\n    RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\\n    RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142\\n    RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003\\n    RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000\\n    R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0\\n    R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: xt_IDLETIMER: corrige el p\u00e1nico que ocurre cuando timer_type tiene valor basura Actualmente, cuando se agrega la regla relacionada con IDLETIMER, kmalloc inicializa la estructura del temporizador idletimer_tg al ejecutar la funci\u00f3n idletimer_tg_create. Sin embargo, en este proceso timer-\u0026gt;timer_type no est\u00e1 definido en un valor espec\u00edfico. Por lo tanto, timer-\u0026gt;timer_type tiene un valor basura y se produce un p\u00e1nico en el kernel. Entonces, esta confirmaci\u00f3n soluciona el p\u00e1nico al inicializar timer-\u0026gt;timer_type usando kzalloc en lugar de kmalloc. Comandos de prueba: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed Splat se ve as\u00ed: ERROR: KASAN: acceso a memoria de usuario en alarm_expires_remaining+0x49/ 0x70 Lectura del tama\u00f1o 8 en la direcci\u00f3n 0000002e8c7bc4c8 por tarea cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 009), BIOS 1.13.0- 1ubuntu1.1 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] tr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? device_remove_bin_file+0x20/0x20 kernfs_seq_show+0xa4/0xb0 seq_read_iter+0x29c/0x750 kernfs_fop_read_iter+0x25a/0x2c0 ? __fsnotify_parent+0x3d1/0x570? iov_iter_init+0x70/0x90 new_sync_read+0x2a7/0x3d0? __x64_sys_llseek+0x230/0x230 ? rw_verify_area+0x81/0x150 vfs_read+0x17b/0x240 ksys_read+0xd9/0x180 ? vfs_write+0x460/0x460? do_syscall_64+0x16/0xc0? lockdep_hardirqs_on+0x79/0x120 __x64_sys_read+0x43/0x50 do_syscall_64+0x3b/0xc0 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 C\u00f3digo: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u0026lt;48\u0026gt; 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: :00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc03200 0 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 00000000000000246 R 12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.