cve-2021-47546
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2024-11-04 12:07
Severity ?
Summary
ipv6: fix memory leak in fib6_rule_suppress
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47546",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:34:31.593424Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:34:48.850Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.755Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ee38eb8cf9a7323884c2b8e0adbbeb2192d31e29"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/209d35ee34e25f9668c404350a1c86d914c54ffa"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8ef8a76a340ebdb2c2eea3f6fb0ebbed09a16383"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cdef485217d30382f3bf6448c54b4401648fe3f1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/fib_rules.h",
            "net/core/fib_rules.c",
            "net/ipv4/fib_rules.c",
            "net/ipv6/fib6_rules.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee38eb8cf9a7",
              "status": "affected",
              "version": "ca7a03c41753",
              "versionType": "git"
            },
            {
              "lessThan": "209d35ee34e2",
              "status": "affected",
              "version": "ca7a03c41753",
              "versionType": "git"
            },
            {
              "lessThan": "8ef8a76a340e",
              "status": "affected",
              "version": "ca7a03c41753",
              "versionType": "git"
            },
            {
              "lessThan": "cdef485217d3",
              "status": "affected",
              "version": "ca7a03c41753",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/fib_rules.h",
            "net/core/fib_rules.c",
            "net/ipv4/fib_rules.c",
            "net/ipv6/fib6_rules.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix memory leak in fib6_rule_suppress\n\nThe kernel leaks memory when a `fib` rule is present in IPv6 nftables\nfirewall rules and a suppress_prefix rule is present in the IPv6 routing\nrules (used by certain tools such as wg-quick). In such scenarios, every\nincoming packet will leak an allocation in `ip6_dst_cache` slab cache.\n\nAfter some hours of `bpftrace`-ing and source code reading, I tracked\ndown the issue to ca7a03c41753 (\"ipv6: do not free rt if\nFIB_LOOKUP_NOREF is set on suppress rule\").\n\nThe problem with that change is that the generic `args-\u003eflags` always have\n`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag\n`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not\ndecreasing the refcount when needed.\n\nHow to reproduce:\n - Add the following nftables rule to a prerouting chain:\n     meta nfproto ipv6 fib saddr . mark . iif oif missing drop\n   This can be done with:\n     sudo nft create table inet test\n     sudo nft create chain inet test test_chain \u0027{ type filter hook prerouting priority filter + 10; policy accept; }\u0027\n     sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop\n - Run:\n     sudo ip -6 rule add table main suppress_prefixlength 0\n - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase\n   with every incoming ipv6 packet.\n\nThis patch exposes the protocol-specific flags to the protocol\nspecific `suppress` function, and check the protocol-specific `flags`\nargument for RT6_LOOKUP_F_DST_NOREF instead of the generic\nFIB_LOOKUP_NOREF when decreasing the refcount, like this.\n\n[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71\n[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:07:59.220Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee38eb8cf9a7323884c2b8e0adbbeb2192d31e29"
        },
        {
          "url": "https://git.kernel.org/stable/c/209d35ee34e25f9668c404350a1c86d914c54ffa"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ef8a76a340ebdb2c2eea3f6fb0ebbed09a16383"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdef485217d30382f3bf6448c54b4401648fe3f1"
        }
      ],
      "title": "ipv6: fix memory leak in fib6_rule_suppress",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47546",
    "datePublished": "2024-05-24T15:09:51.286Z",
    "dateReserved": "2024-05-24T15:02:54.829Z",
    "dateUpdated": "2024-11-04T12:07:59.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47546\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:19.450\",\"lastModified\":\"2024-06-10T18:30:20.320\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: fix memory leak in fib6_rule_suppress\\n\\nThe kernel leaks memory when a `fib` rule is present in IPv6 nftables\\nfirewall rules and a suppress_prefix rule is present in the IPv6 routing\\nrules (used by certain tools such as wg-quick). In such scenarios, every\\nincoming packet will leak an allocation in `ip6_dst_cache` slab cache.\\n\\nAfter some hours of `bpftrace`-ing and source code reading, I tracked\\ndown the issue to ca7a03c41753 (\\\"ipv6: do not free rt if\\nFIB_LOOKUP_NOREF is set on suppress rule\\\").\\n\\nThe problem with that change is that the generic `args-\u003eflags` always have\\n`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag\\n`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not\\ndecreasing the refcount when needed.\\n\\nHow to reproduce:\\n - Add the following nftables rule to a prerouting chain:\\n     meta nfproto ipv6 fib saddr . mark . iif oif missing drop\\n   This can be done with:\\n     sudo nft create table inet test\\n     sudo nft create chain inet test test_chain \u0027{ type filter hook prerouting priority filter + 10; policy accept; }\u0027\\n     sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop\\n - Run:\\n     sudo ip -6 rule add table main suppress_prefixlength 0\\n - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase\\n   with every incoming ipv6 packet.\\n\\nThis patch exposes the protocol-specific flags to the protocol\\nspecific `suppress` function, and check the protocol-specific `flags`\\nargument for RT6_LOOKUP_F_DST_NOREF instead of the generic\\nFIB_LOOKUP_NOREF when decreasing the refcount, like this.\\n\\n[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71\\n[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ipv6: corrige la p\u00e9rdida de memoria en fib6_rule_suppress El kernel pierde memoria cuando una regla `fib` est\u00e1 presente en las reglas de firewall de nftables de IPv6 y una regla de supresi\u00f3n_prefix est\u00e1 presente en las reglas de enrutamiento de IPv6 (utilizadas por ciertas herramientas como wg-quick). En tales escenarios, cada paquete entrante perder\u00e1 una asignaci\u00f3n en el cach\u00e9 de losa `ip6_dst_cache`. Despu\u00e9s de algunas horas de `bpftrace`-ing y lectura del c\u00f3digo fuente, rastre\u00e9 el problema hasta ca7a03c41753 (\\\"ipv6: no libere rt si FIB_LOOKUP_NOREF est\u00e1 configurado en la regla de supresi\u00f3n\\\"). El problema con ese cambio es que los `args-\u0026gt;flags` gen\u00e9ricos siempre tienen `FIB_LOOKUP_NOREF` configurado[1][2] pero el indicador espec\u00edfico de IPv6 `RT6_LOOKUP_F_DST_NOREF` podr\u00eda no estarlo, lo que lleva a que `fib6_rule_suppress` no disminuya el recuento cuando necesario. C\u00f3mo reproducir: - Agregue la siguiente regla nftables a una cadena de enrutamiento previo: meta nfproto ipv6 fib saddr. marca . iif oif falta gota Esto se puede hacer con: sudo nft create table inet test sudo nft create chain inet test test_chain \u0027{ tipo filtro gancho prerouting filtro de prioridad + 10; aceptar pol\u00edtica; }\u0027 sudo nft agregar regla inet test test_chain meta nfproto ipv6 fib saddr. marca . iif oif falta gota - Ejecutar: sudo ip -6 regla agregar tabla principal suprimir_prefixlength 0 - Ver `sudo slabtop -o | grep ip6_dst_cache` para ver el aumento del uso de memoria con cada paquete ipv6 entrante. Este parche expone los indicadores espec\u00edficos del protocolo a la funci\u00f3n `suprimir` espec\u00edfica del protocolo y verifica el argumento `flags` espec\u00edfico del protocolo para RT6_LOOKUP_F_DST_NOREF en lugar del FIB_LOOKUP_NOREF gen\u00e9rico al disminuir el recuento, de esta manera. [1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71 [2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038 c3266e26/net /ipv6/fib6_rules.c#L99\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4\",\"versionEndExcluding\":\"5.4.164\",\"matchCriteriaId\":\"1C6E0E5A-819B-4CEA-BD4B-6647308627E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.84\",\"matchCriteriaId\":\"AE5B4333-2C46-40C3-8B42-0168AD91DDE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.7\",\"matchCriteriaId\":\"A696A60B-2782-4119-83DD-1EFFBC903F02\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/209d35ee34e25f9668c404350a1c86d914c54ffa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8ef8a76a340ebdb2c2eea3f6fb0ebbed09a16383\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cdef485217d30382f3bf6448c54b4401648fe3f1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ee38eb8cf9a7323884c2b8e0adbbeb2192d31e29\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.