cve-2021-47556
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2024-12-19 07:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ethtool: ioctl: fix potential NULL deref in ethtool_set_coalesce() ethtool_set_coalesce() now uses both the .get_coalesce() and .set_coalesce() callbacks. But the check for their availability is buggy, so changing the coalesce settings on a device where the driver provides only _one_ of the callbacks results in a NULL pointer dereference instead of an -EOPNOTSUPP. Fix the condition so that the availability of both callbacks is ensured. This also matches the netlink code. Note that reproducing this requires some effort - it only affects the legacy ioctl path, and needs a specific combination of driver options: - have .get_coalesce() and .coalesce_supported but no .set_coalesce(), or - have .set_coalesce() but no .get_coalesce(). Here eg. ethtool doesn't cause the crash as it first attempts to call ethtool_get_coalesce() and bails out on error.
Impacted products
Vendor Product Version
Linux Linux Version: 5.15
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.696Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/abfdd9e2f0f9699015d72317f74154d3e53664e6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0276af2176c78771da7f311621a25d7608045827"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47556",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:35:17.251127Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:20.673Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ethtool/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "abfdd9e2f0f9699015d72317f74154d3e53664e6",
              "status": "affected",
              "version": "f3ccfda1931977b80267ba54070a1aeafa18f6ca",
              "versionType": "git"
            },
            {
              "lessThan": "0276af2176c78771da7f311621a25d7608045827",
              "status": "affected",
              "version": "f3ccfda1931977b80267ba54070a1aeafa18f6ca",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ethtool/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: ioctl: fix potential NULL deref in ethtool_set_coalesce()\n\nethtool_set_coalesce() now uses both the .get_coalesce() and\n.set_coalesce() callbacks. But the check for their availability is\nbuggy, so changing the coalesce settings on a device where the driver\nprovides only _one_ of the callbacks results in a NULL pointer\ndereference instead of an -EOPNOTSUPP.\n\nFix the condition so that the availability of both callbacks is\nensured. This also matches the netlink code.\n\nNote that reproducing this requires some effort - it only affects the\nlegacy ioctl path, and needs a specific combination of driver options:\n- have .get_coalesce() and .coalesce_supported but no\n .set_coalesce(), or\n- have .set_coalesce() but no .get_coalesce(). Here eg. ethtool doesn\u0027t\n  cause the crash as it first attempts to call ethtool_get_coalesce()\n  and bails out on error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:44:45.287Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/abfdd9e2f0f9699015d72317f74154d3e53664e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/0276af2176c78771da7f311621a25d7608045827"
        }
      ],
      "title": "ethtool: ioctl: fix potential NULL deref in ethtool_set_coalesce()",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47556",
    "datePublished": "2024-05-24T15:09:57.983Z",
    "dateReserved": "2024-05-24T15:02:54.833Z",
    "dateUpdated": "2024-12-19T07:44:45.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47556\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:20.320\",\"lastModified\":\"2024-11-21T06:36:32.810\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nethtool: ioctl: fix potential NULL deref in ethtool_set_coalesce()\\n\\nethtool_set_coalesce() now uses both the .get_coalesce() and\\n.set_coalesce() callbacks. But the check for their availability is\\nbuggy, so changing the coalesce settings on a device where the driver\\nprovides only _one_ of the callbacks results in a NULL pointer\\ndereference instead of an -EOPNOTSUPP.\\n\\nFix the condition so that the availability of both callbacks is\\nensured. This also matches the netlink code.\\n\\nNote that reproducing this requires some effort - it only affects the\\nlegacy ioctl path, and needs a specific combination of driver options:\\n- have .get_coalesce() and .coalesce_supported but no\\n .set_coalesce(), or\\n- have .set_coalesce() but no .get_coalesce(). Here eg. ethtool doesn\u0027t\\n  cause the crash as it first attempts to call ethtool_get_coalesce()\\n  and bails out on error.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ethtool: ioctl: corrige un posible deref NULL en ethtool_set_coalesce() ethtool_set_coalesce() ahora usa las devoluciones de llamada .get_coalesce() y .set_coalesce(). Pero la verificaci\u00f3n de su disponibilidad tiene errores, por lo que cambiar la configuraci\u00f3n de fusi\u00f3n en un dispositivo donde el controlador proporciona solo _una_ de las devoluciones de llamada da como resultado una desreferencia del puntero NULL en lugar de un -EOPNOTSUPP. Corrija la condici\u00f3n para que se garantice la disponibilidad de ambas devoluciones de llamada. Esto tambi\u00e9n coincide con el c\u00f3digo netlink. Tenga en cuenta que reproducir esto requiere algo de esfuerzo: solo afecta la ruta ioctl heredada y necesita una combinaci\u00f3n espec\u00edfica de opciones de controlador: - tener .get_coalesce() y .coalesce_supported pero no .set_coalesce(), o - tener .set_coalesce() pero no .get_coalesce(). Aqu\u00ed por ej. ethtool no causa el bloqueo ya que primero intenta llamar a ethtool_get_coalesce() y sale por error.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15\",\"versionEndExcluding\":\"5.15.6\",\"matchCriteriaId\":\"082C8F69-46F5-469A-A650-E0340F11BEF5\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0276af2176c78771da7f311621a25d7608045827\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/abfdd9e2f0f9699015d72317f74154d3e53664e6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/0276af2176c78771da7f311621a25d7608045827\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/abfdd9e2f0f9699015d72317f74154d3e53664e6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.