cve-2021-47546
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2024-11-04 12:07
Severity ?
EPSS score ?
Summary
ipv6: fix memory leak in fib6_rule_suppress
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2021-47546", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-17T17:34:31.593424Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-17T17:34:48.850Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:39:59.755Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/ee38eb8cf9a7323884c2b8e0adbbeb2192d31e29" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/209d35ee34e25f9668c404350a1c86d914c54ffa" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/8ef8a76a340ebdb2c2eea3f6fb0ebbed09a16383" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/cdef485217d30382f3bf6448c54b4401648fe3f1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/fib_rules.h", "net/core/fib_rules.c", "net/ipv4/fib_rules.c", "net/ipv6/fib6_rules.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ee38eb8cf9a7", "status": "affected", "version": "ca7a03c41753", "versionType": "git" }, { "lessThan": "209d35ee34e2", "status": "affected", "version": "ca7a03c41753", "versionType": "git" }, { "lessThan": "8ef8a76a340e", "status": "affected", "version": "ca7a03c41753", "versionType": "git" }, { "lessThan": "cdef485217d3", "status": "affected", "version": "ca7a03c41753", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/fib_rules.h", "net/core/fib_rules.c", "net/ipv4/fib_rules.c", "net/ipv6/fib6_rules.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.4" }, { "lessThan": "5.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.164", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.84", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.7", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix memory leak in fib6_rule_suppress\n\nThe kernel leaks memory when a `fib` rule is present in IPv6 nftables\nfirewall rules and a suppress_prefix rule is present in the IPv6 routing\nrules (used by certain tools such as wg-quick). In such scenarios, every\nincoming packet will leak an allocation in `ip6_dst_cache` slab cache.\n\nAfter some hours of `bpftrace`-ing and source code reading, I tracked\ndown the issue to ca7a03c41753 (\"ipv6: do not free rt if\nFIB_LOOKUP_NOREF is set on suppress rule\").\n\nThe problem with that change is that the generic `args-\u003eflags` always have\n`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag\n`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not\ndecreasing the refcount when needed.\n\nHow to reproduce:\n - Add the following nftables rule to a prerouting chain:\n meta nfproto ipv6 fib saddr . mark . iif oif missing drop\n This can be done with:\n sudo nft create table inet test\n sudo nft create chain inet test test_chain \u0027{ type filter hook prerouting priority filter + 10; policy accept; }\u0027\n sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop\n - Run:\n sudo ip -6 rule add table main suppress_prefixlength 0\n - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase\n with every incoming ipv6 packet.\n\nThis patch exposes the protocol-specific flags to the protocol\nspecific `suppress` function, and check the protocol-specific `flags`\nargument for RT6_LOOKUP_F_DST_NOREF instead of the generic\nFIB_LOOKUP_NOREF when decreasing the refcount, like this.\n\n[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71\n[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99" } ], "providerMetadata": { "dateUpdated": "2024-11-04T12:07:59.220Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ee38eb8cf9a7323884c2b8e0adbbeb2192d31e29" }, { "url": "https://git.kernel.org/stable/c/209d35ee34e25f9668c404350a1c86d914c54ffa" }, { "url": "https://git.kernel.org/stable/c/8ef8a76a340ebdb2c2eea3f6fb0ebbed09a16383" }, { "url": "https://git.kernel.org/stable/c/cdef485217d30382f3bf6448c54b4401648fe3f1" } ], "title": "ipv6: fix memory leak in fib6_rule_suppress", "x_generator": { "engine": "bippy-9e1c9544281a" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47546", "datePublished": "2024-05-24T15:09:51.286Z", "dateReserved": "2024-05-24T15:02:54.829Z", "dateUpdated": "2024-11-04T12:07:59.220Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-47546\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:19.450\",\"lastModified\":\"2024-06-10T18:30:20.320\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: fix memory leak in fib6_rule_suppress\\n\\nThe kernel leaks memory when a `fib` rule is present in IPv6 nftables\\nfirewall rules and a suppress_prefix rule is present in the IPv6 routing\\nrules (used by certain tools such as wg-quick). In such scenarios, every\\nincoming packet will leak an allocation in `ip6_dst_cache` slab cache.\\n\\nAfter some hours of `bpftrace`-ing and source code reading, I tracked\\ndown the issue to ca7a03c41753 (\\\"ipv6: do not free rt if\\nFIB_LOOKUP_NOREF is set on suppress rule\\\").\\n\\nThe problem with that change is that the generic `args-\u003eflags` always have\\n`FIB_LOOKUP_NOREF` set[1][2] but the IPv6-specific flag\\n`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` not\\ndecreasing the refcount when needed.\\n\\nHow to reproduce:\\n - Add the following nftables rule to a prerouting chain:\\n meta nfproto ipv6 fib saddr . mark . iif oif missing drop\\n This can be done with:\\n sudo nft create table inet test\\n sudo nft create chain inet test test_chain \u0027{ type filter hook prerouting priority filter + 10; policy accept; }\u0027\\n sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop\\n - Run:\\n sudo ip -6 rule add table main suppress_prefixlength 0\\n - Watch `sudo slabtop -o | grep ip6_dst_cache` to see memory usage increase\\n with every incoming ipv6 packet.\\n\\nThis patch exposes the protocol-specific flags to the protocol\\nspecific `suppress` function, and check the protocol-specific `flags`\\nargument for RT6_LOOKUP_F_DST_NOREF instead of the generic\\nFIB_LOOKUP_NOREF when decreasing the refcount, like this.\\n\\n[1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71\\n[2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ipv6: corrige la p\u00e9rdida de memoria en fib6_rule_suppress El kernel pierde memoria cuando una regla `fib` est\u00e1 presente en las reglas de firewall de nftables de IPv6 y una regla de supresi\u00f3n_prefix est\u00e1 presente en las reglas de enrutamiento de IPv6 (utilizadas por ciertas herramientas como wg-quick). En tales escenarios, cada paquete entrante perder\u00e1 una asignaci\u00f3n en el cach\u00e9 de losa `ip6_dst_cache`. Despu\u00e9s de algunas horas de `bpftrace`-ing y lectura del c\u00f3digo fuente, rastre\u00e9 el problema hasta ca7a03c41753 (\\\"ipv6: no libere rt si FIB_LOOKUP_NOREF est\u00e1 configurado en la regla de supresi\u00f3n\\\"). El problema con ese cambio es que los `args-\u0026gt;flags` gen\u00e9ricos siempre tienen `FIB_LOOKUP_NOREF` configurado[1][2] pero el indicador espec\u00edfico de IPv6 `RT6_LOOKUP_F_DST_NOREF` podr\u00eda no estarlo, lo que lleva a que `fib6_rule_suppress` no disminuya el recuento cuando necesario. C\u00f3mo reproducir: - Agregue la siguiente regla nftables a una cadena de enrutamiento previo: meta nfproto ipv6 fib saddr. marca . iif oif falta gota Esto se puede hacer con: sudo nft create table inet test sudo nft create chain inet test test_chain \u0027{ tipo filtro gancho prerouting filtro de prioridad + 10; aceptar pol\u00edtica; }\u0027 sudo nft agregar regla inet test test_chain meta nfproto ipv6 fib saddr. marca . iif oif falta gota - Ejecutar: sudo ip -6 regla agregar tabla principal suprimir_prefixlength 0 - Ver `sudo slabtop -o | grep ip6_dst_cache` para ver el aumento del uso de memoria con cada paquete ipv6 entrante. Este parche expone los indicadores espec\u00edficos del protocolo a la funci\u00f3n `suprimir` espec\u00edfica del protocolo y verifica el argumento `flags` espec\u00edfico del protocolo para RT6_LOOKUP_F_DST_NOREF en lugar del FIB_LOOKUP_NOREF gen\u00e9rico al disminuir el recuento, de esta manera. [1]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L71 [2]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038 c3266e26/net /ipv6/fib6_rules.c#L99\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4\",\"versionEndExcluding\":\"5.4.164\",\"matchCriteriaId\":\"1C6E0E5A-819B-4CEA-BD4B-6647308627E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.84\",\"matchCriteriaId\":\"AE5B4333-2C46-40C3-8B42-0168AD91DDE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.7\",\"matchCriteriaId\":\"A696A60B-2782-4119-83DD-1EFFBC903F02\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/209d35ee34e25f9668c404350a1c86d914c54ffa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8ef8a76a340ebdb2c2eea3f6fb0ebbed09a16383\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cdef485217d30382f3bf6448c54b4401648fe3f1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ee38eb8cf9a7323884c2b8e0adbbeb2192d31e29\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.