cve-2021-47544
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2024-11-04 12:07
Severity ?
Summary
tcp: fix page frag corruption on page fault
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47544",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-28T17:06:35.022552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:15:09.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c6f340a331fb72e5ac23a083de9c780e132ca3ae"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5a9afcd827cafe14a95c9fcbded2c2d104f18dfc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dacb5d8875cc6cd3a553363b4d6f06760fcbe70c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/sock.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c6f340a331fb",
              "status": "affected",
              "version": "5640f7685831",
              "versionType": "git"
            },
            {
              "lessThan": "5a9afcd827ca",
              "status": "affected",
              "version": "5640f7685831",
              "versionType": "git"
            },
            {
              "lessThan": "dacb5d8875cc",
              "status": "affected",
              "version": "5640f7685831",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/sock.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "lessThan": "3.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix page frag corruption on page fault\n\nSteffen reported a TCP stream corruption for HTTP requests\nserved by the apache web-server using a cifs mount-point\nand memory mapping the relevant file.\n\nThe root cause is quite similar to the one addressed by\ncommit 20eb4f29b602 (\"net: fix sk_page_frag() recursion from\nmemory reclaim\"). Here the nested access to the task page frag\nis caused by a page fault on the (mmapped) user-space memory\nbuffer coming from the cifs file.\n\nThe page fault handler performs an smb transaction on a different\nsocket, inside the same process context. Since sk-\u003esk_allaction\nfor such socket does not prevent the usage for the task_frag,\nthe nested allocation modify \"under the hood\" the page frag\nin use by the outer sendmsg call, corrupting the stream.\n\nThe overall relevant stack trace looks like the following:\n\nhttpd 78268 [001] 3461630.850950:      probe:tcp_sendmsg_locked:\n        ffffffff91461d91 tcp_sendmsg_locked+0x1\n        ffffffff91462b57 tcp_sendmsg+0x27\n        ffffffff9139814e sock_sendmsg+0x3e\n        ffffffffc06dfe1d smb_send_kvec+0x28\n        [...]\n        ffffffffc06cfaf8 cifs_readpages+0x213\n        ffffffff90e83c4b read_pages+0x6b\n        ffffffff90e83f31 __do_page_cache_readahead+0x1c1\n        ffffffff90e79e98 filemap_fault+0x788\n        ffffffff90eb0458 __do_fault+0x38\n        ffffffff90eb5280 do_fault+0x1a0\n        ffffffff90eb7c84 __handle_mm_fault+0x4d4\n        ffffffff90eb8093 handle_mm_fault+0xc3\n        ffffffff90c74f6d __do_page_fault+0x1ed\n        ffffffff90c75277 do_page_fault+0x37\n        ffffffff9160111e page_fault+0x1e\n        ffffffff9109e7b5 copyin+0x25\n        ffffffff9109eb40 _copy_from_iter_full+0xe0\n        ffffffff91462370 tcp_sendmsg_locked+0x5e0\n        ffffffff91462370 tcp_sendmsg_locked+0x5e0\n        ffffffff91462b57 tcp_sendmsg+0x27\n        ffffffff9139815c sock_sendmsg+0x4c\n        ffffffff913981f7 sock_write_iter+0x97\n        ffffffff90f2cc56 do_iter_readv_writev+0x156\n        ffffffff90f2dff0 do_iter_write+0x80\n        ffffffff90f2e1c3 vfs_writev+0xa3\n        ffffffff90f2e27c do_writev+0x5c\n        ffffffff90c042bb do_syscall_64+0x5b\n        ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65\n\nThe cifs filesystem rightfully sets sk_allocations to GFP_NOFS,\nwe can avoid the nesting using the sk page frag for allocation\nlacking the __GFP_FS flag. Do not define an additional mm-helper\nfor that, as this is strictly tied to the sk page frag usage.\n\nv1 -\u003e v2:\n - use a stricted sk_page_frag() check instead of reordering the\n   code (Eric)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:07:57.998Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c6f340a331fb72e5ac23a083de9c780e132ca3ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a9afcd827cafe14a95c9fcbded2c2d104f18dfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/dacb5d8875cc6cd3a553363b4d6f06760fcbe70c"
        }
      ],
      "title": "tcp: fix page frag corruption on page fault",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47544",
    "datePublished": "2024-05-24T15:09:49.895Z",
    "dateReserved": "2024-05-24T15:02:54.829Z",
    "dateUpdated": "2024-11-04T12:07:57.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47544\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:18.983\",\"lastModified\":\"2024-05-24T18:09:20.027\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: fix page frag corruption on page fault\\n\\nSteffen reported a TCP stream corruption for HTTP requests\\nserved by the apache web-server using a cifs mount-point\\nand memory mapping the relevant file.\\n\\nThe root cause is quite similar to the one addressed by\\ncommit 20eb4f29b602 (\\\"net: fix sk_page_frag() recursion from\\nmemory reclaim\\\"). Here the nested access to the task page frag\\nis caused by a page fault on the (mmapped) user-space memory\\nbuffer coming from the cifs file.\\n\\nThe page fault handler performs an smb transaction on a different\\nsocket, inside the same process context. Since sk-\u003esk_allaction\\nfor such socket does not prevent the usage for the task_frag,\\nthe nested allocation modify \\\"under the hood\\\" the page frag\\nin use by the outer sendmsg call, corrupting the stream.\\n\\nThe overall relevant stack trace looks like the following:\\n\\nhttpd 78268 [001] 3461630.850950:      probe:tcp_sendmsg_locked:\\n        ffffffff91461d91 tcp_sendmsg_locked+0x1\\n        ffffffff91462b57 tcp_sendmsg+0x27\\n        ffffffff9139814e sock_sendmsg+0x3e\\n        ffffffffc06dfe1d smb_send_kvec+0x28\\n        [...]\\n        ffffffffc06cfaf8 cifs_readpages+0x213\\n        ffffffff90e83c4b read_pages+0x6b\\n        ffffffff90e83f31 __do_page_cache_readahead+0x1c1\\n        ffffffff90e79e98 filemap_fault+0x788\\n        ffffffff90eb0458 __do_fault+0x38\\n        ffffffff90eb5280 do_fault+0x1a0\\n        ffffffff90eb7c84 __handle_mm_fault+0x4d4\\n        ffffffff90eb8093 handle_mm_fault+0xc3\\n        ffffffff90c74f6d __do_page_fault+0x1ed\\n        ffffffff90c75277 do_page_fault+0x37\\n        ffffffff9160111e page_fault+0x1e\\n        ffffffff9109e7b5 copyin+0x25\\n        ffffffff9109eb40 _copy_from_iter_full+0xe0\\n        ffffffff91462370 tcp_sendmsg_locked+0x5e0\\n        ffffffff91462370 tcp_sendmsg_locked+0x5e0\\n        ffffffff91462b57 tcp_sendmsg+0x27\\n        ffffffff9139815c sock_sendmsg+0x4c\\n        ffffffff913981f7 sock_write_iter+0x97\\n        ffffffff90f2cc56 do_iter_readv_writev+0x156\\n        ffffffff90f2dff0 do_iter_write+0x80\\n        ffffffff90f2e1c3 vfs_writev+0xa3\\n        ffffffff90f2e27c do_writev+0x5c\\n        ffffffff90c042bb do_syscall_64+0x5b\\n        ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65\\n\\nThe cifs filesystem rightfully sets sk_allocations to GFP_NOFS,\\nwe can avoid the nesting using the sk page frag for allocation\\nlacking the __GFP_FS flag. Do not define an additional mm-helper\\nfor that, as this is strictly tied to the sk page frag usage.\\n\\nv1 -\u003e v2:\\n - use a stricted sk_page_frag() check instead of reordering the\\n   code (Eric)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tcp: corregir corrupci\u00f3n de fragmentos de p\u00e1gina en falla de p\u00e1gina Steffen inform\u00f3 una corrupci\u00f3n de flujo TCP para solicitudes HTTP atendidas por el servidor web Apache usando un punto de montaje cifs y mapeando la memoria del archivo relevante. La causa ra\u00edz es bastante similar a la abordada por el commit 20eb4f29b602 (\\\"net: fix sk_page_frag() recursividad desde la recuperaci\u00f3n de memoria\\\"). Aqu\u00ed, el acceso anidado al fragmento de la p\u00e1gina de tareas se debe a un error de p\u00e1gina en el b\u00fafer de memoria del espacio de usuario (mapeado) proveniente del archivo cifs. El controlador de errores de p\u00e1gina realiza una transacci\u00f3n smb en un socket diferente, dentro del mismo contexto de proceso. Dado que sk-\u0026gt;sk_allaction para dicho socket no impide el uso de task_frag, la asignaci\u00f3n anidada modifica \\\"bajo el cap\u00f3\\\" el fragmento de p\u00e1gina en uso por la llamada externa sendmsg, corrompiendo la secuencia. El seguimiento general de la pila relevante se parece al siguiente: httpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked: fffffff91461d91 tcp_sendmsg_locked+0x1 ffffffff91462b57 tcp_sendmsg+0x27 sock_sendmsg+0x3e ffffffffc06dfe1d smb_send_kvec+0x28 [...] ffffffffc06cfaf8 cifs_readpages+0x213 ffffffff90e83c4b read_pages+0x6b ffffffff90e83f31 __do_page_cache_readahead+0x1c1 ffffffff90e79e98 filemap_fault+0x788 ffffffff90eb0458 __do_fault+0x38 ffffffff90eb5280 do_fault+0x1a0 ffffffff90eb7c84 x4d4 ffffffff90eb8093 handle_mm_fault+0xc3 ffffffff90c74f6d __do_page_fault+0x1ed ffffffff90c75277 do_page_fault+0x37 ffffffff9160111e page_fault+0x1e ffffffff9109e7b5 copyin+0x25 9109eb40 _copia_de_iter_full+0xe0 ffffffff91462370 tcp_sendmsg_locked+0x5e0 ffffffff91462370 tcp_sendmsg_locked +0x5e0 ffffffff91462b57 tcp_sendmsg+0x27 ffffffff9139815c sock_sendmsg+0x4c ffffffff913981f7 sock_write_iter+0x97 ffffffff90f2cc56 do_iter_readv_writev+0x156 0 do_iter_write+0x80 ffffffff90f2e1c3 vfs_writev+0xa3 ffffffff90f2e27c do_writev+0x5c ffffffff90c042bb do_syscall_64+0x5b ffffffff916000ad Entry_SYSCALL_64_after_hwframe+0x65 El sistema de archivos cifs establece correctamente sk_allocations a GFP_NOFS, podemos evitar el anidamiento utilizando el fragmento de p\u00e1gina sk para la asignaci\u00f3n que carece del indicador __GFP_FS. No defina un mm-helper adicional para eso, ya que est\u00e1 estrictamente vinculado al uso del fragmento de p\u00e1gina sk. v1 -\u0026gt; v2: - use una verificaci\u00f3n estricta de sk_page_frag() en lugar de reordenar el c\u00f3digo (Eric)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5a9afcd827cafe14a95c9fcbded2c2d104f18dfc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c6f340a331fb72e5ac23a083de9c780e132ca3ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dacb5d8875cc6cd3a553363b4d6f06760fcbe70c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.