cve-2021-47536
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2024-12-19 07:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix wrong list_del in smc_lgr_cleanup_early smc_lgr_cleanup_early() meant to delete the link group from the link group list, but it deleted the list head by mistake. This may cause memory corruption since we didn't remove the real link group from the list and later memseted the link group structure. We got a list corruption panic when testing: [  231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000 [  231.278222] ------------[ cut here ]------------ [  231.278726] kernel BUG at lib/list_debug.c:53! [  231.279326] invalid opcode: 0000 [#1] SMP NOPTI [  231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435 [  231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014 [  231.281248] Workqueue: events smc_link_down_work [  231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90 [  231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c 60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f> 0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc [  231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292 [  231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000 [  231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040 [  231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001 [  231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001 [  231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003 [  231.288337] FS:  0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 [  231.289160] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [  231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0 [  231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [  231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [  231.291940] Call Trace: [  231.292211]  smc_lgr_terminate_sched+0x53/0xa0 [  231.292677]  smc_switch_conns+0x75/0x6b0 [  231.293085]  ? update_load_avg+0x1a6/0x590 [  231.293517]  ? ttwu_do_wakeup+0x17/0x150 [  231.293907]  ? update_load_avg+0x1a6/0x590 [  231.294317]  ? newidle_balance+0xca/0x3d0 [  231.294716]  smcr_link_down+0x50/0x1a0 [  231.295090]  ? __wake_up_common_lock+0x77/0x90 [  231.295534]  smc_link_down_work+0x46/0x60 [  231.295933]  process_one_work+0x18b/0x350
Impacted products
Vendor Product Version
Linux Linux Version: 5.5
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47536",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-28T15:18:35.309729Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:14:10.859Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.717Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "77731fede297a23d26f2d169b4269466b2c82529",
              "status": "affected",
              "version": "a0a62ee15a829ebf8aeec55a4f1688230439b3e0",
              "versionType": "git"
            },
            {
              "lessThan": "95518fe354d712dca6f431cf2a11b8f63bc9a66c",
              "status": "affected",
              "version": "a0a62ee15a829ebf8aeec55a4f1688230439b3e0",
              "versionType": "git"
            },
            {
              "lessThan": "789b6cc2a5f9123b9c549b886fdc47c865cfe0ba",
              "status": "affected",
              "version": "a0a62ee15a829ebf8aeec55a4f1688230439b3e0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix wrong list_del in smc_lgr_cleanup_early\n\nsmc_lgr_cleanup_early() meant to delete the link\ngroup from the link group list, but it deleted\nthe list head by mistake.\n\nThis may cause memory corruption since we didn\u0027t\nremove the real link group from the list and later\nmemseted the link group structure.\nWe got a list corruption panic when testing:\n\n[ \u00a0231.277259] list_del corruption. prev-\u003enext should be ffff8881398a8000, but was 0000000000000000\n[ \u00a0231.278222] ------------[ cut here ]------------\n[ \u00a0231.278726] kernel BUG at lib/list_debug.c:53!\n[ \u00a0231.279326] invalid opcode: 0000 [#1] SMP NOPTI\n[ \u00a0231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435\n[ \u00a0231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014\n[ \u00a0231.281248] Workqueue: events smc_link_down_work\n[ \u00a0231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90\n[ \u00a0231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c\n60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 \u003c0f\u003e\n0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc\n[ \u00a0231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292\n[ \u00a0231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000\n[ \u00a0231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040\n[ \u00a0231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001\n[ \u00a0231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001\n[ \u00a0231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003\n[ \u00a0231.288337] FS: \u00a00000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\n[ \u00a0231.289160] CS: \u00a00010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ \u00a0231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0\n[ \u00a0231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ \u00a0231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ \u00a0231.291940] Call Trace:\n[ \u00a0231.292211] \u00a0smc_lgr_terminate_sched+0x53/0xa0\n[ \u00a0231.292677] \u00a0smc_switch_conns+0x75/0x6b0\n[ \u00a0231.293085] \u00a0? update_load_avg+0x1a6/0x590\n[ \u00a0231.293517] \u00a0? ttwu_do_wakeup+0x17/0x150\n[ \u00a0231.293907] \u00a0? update_load_avg+0x1a6/0x590\n[ \u00a0231.294317] \u00a0? newidle_balance+0xca/0x3d0\n[ \u00a0231.294716] \u00a0smcr_link_down+0x50/0x1a0\n[ \u00a0231.295090] \u00a0? __wake_up_common_lock+0x77/0x90\n[ \u00a0231.295534] \u00a0smc_link_down_work+0x46/0x60\n[ \u00a0231.295933] \u00a0process_one_work+0x18b/0x350"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:44:23.218Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529"
        },
        {
          "url": "https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c"
        },
        {
          "url": "https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba"
        }
      ],
      "title": "net/smc: fix wrong list_del in smc_lgr_cleanup_early",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47536",
    "datePublished": "2024-05-24T15:09:44.651Z",
    "dateReserved": "2024-05-24T15:02:54.827Z",
    "dateUpdated": "2024-12-19T07:44:23.218Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47536\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:17.317\",\"lastModified\":\"2024-11-21T06:36:29.030\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: fix wrong list_del in smc_lgr_cleanup_early\\n\\nsmc_lgr_cleanup_early() meant to delete the link\\ngroup from the link group list, but it deleted\\nthe list head by mistake.\\n\\nThis may cause memory corruption since we didn\u0027t\\nremove the real link group from the list and later\\nmemseted the link group structure.\\nWe got a list corruption panic when testing:\\n\\n[ \u00a0231.277259] list_del corruption. prev-\u003enext should be ffff8881398a8000, but was 0000000000000000\\n[ \u00a0231.278222] ------------[ cut here ]------------\\n[ \u00a0231.278726] kernel BUG at lib/list_debug.c:53!\\n[ \u00a0231.279326] invalid opcode: 0000 [#1] SMP NOPTI\\n[ \u00a0231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435\\n[ \u00a0231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014\\n[ \u00a0231.281248] Workqueue: events smc_link_down_work\\n[ \u00a0231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90\\n[ \u00a0231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c\\n60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 \u003c0f\u003e\\n0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc\\n[ \u00a0231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292\\n[ \u00a0231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000\\n[ \u00a0231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040\\n[ \u00a0231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001\\n[ \u00a0231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001\\n[ \u00a0231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003\\n[ \u00a0231.288337] FS: \u00a00000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\\n[ \u00a0231.289160] CS: \u00a00010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[ \u00a0231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0\\n[ \u00a0231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n[ \u00a0231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n[ \u00a0231.291940] Call Trace:\\n[ \u00a0231.292211] \u00a0smc_lgr_terminate_sched+0x53/0xa0\\n[ \u00a0231.292677] \u00a0smc_switch_conns+0x75/0x6b0\\n[ \u00a0231.293085] \u00a0? update_load_avg+0x1a6/0x590\\n[ \u00a0231.293517] \u00a0? ttwu_do_wakeup+0x17/0x150\\n[ \u00a0231.293907] \u00a0? update_load_avg+0x1a6/0x590\\n[ \u00a0231.294317] \u00a0? newidle_balance+0xca/0x3d0\\n[ \u00a0231.294716] \u00a0smcr_link_down+0x50/0x1a0\\n[ \u00a0231.295090] \u00a0? __wake_up_common_lock+0x77/0x90\\n[ \u00a0231.295534] \u00a0smc_link_down_work+0x46/0x60\\n[ \u00a0231.295933] \u00a0process_one_work+0x18b/0x350\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/smc: corrige list_del incorrecto en smc_lgr_cleanup_early smc_lgr_cleanup_early() pretend\u00eda eliminar el grupo de enlaces de la lista de grupos de enlaces, pero elimin\u00f3 el encabezado de la lista por error. Esto puede causar da\u00f1os en la memoria ya que no eliminamos el grupo de enlaces real de la lista y luego integramos la estructura del grupo de enlaces. Recibimos un p\u00e1nico de corrupci\u00f3n de lista al realizar la prueba:  [  231.277259] list_del corruption. prev-\u0026gt;next should be ffff8881398a8000, but was 0000000000000000 [  231.278222] ------------[ cut here ]------------ [  231.278726] kernel BUG at lib/list_debug.c:53! [  231.279326] invalid opcode: 0000 [#1] SMP NOPTI [  231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435 [  231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014 [  231.281248] Workqueue: events smc_link_down_work [  231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90 [  231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c 60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 \u0026lt;0f\u0026gt; 0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc [  231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292 [  231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000 [  231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040 [  231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001 [  231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001 [  231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003 [  231.288337] FS:  0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 [  231.289160] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [  231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0 [  231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [  231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [  231.291940] Call Trace: [  231.292211]  smc_lgr_terminate_sched+0x53/0xa0 [  231.292677]  smc_switch_conns+0x75/0x6b0 [  231.293085]  ? update_load_avg+0x1a6/0x590 [  231.293517]  ? ttwu_do_wakeup+0x17/0x150 [  231.293907]  ? update_load_avg+0x1a6/0x590 [  231.294317]  ? newidle_balance+0xca/0x3d0 [  231.294716]  smcr_link_down+0x50/0x1a0 [  231.295090]  ? __wake_up_common_lock+0x77/0x90 [  231.295534]  smc_link_down_work+0x46/0x60 [  231.295933]  process_one_work+0x18b/0x350 \"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.