cve-2021-47592
Vulnerability from cvelistv5
Published
2024-06-19 14:53
Modified
2024-12-19 07:45
Summary
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- 1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlan_prio 0 hw_tc 0 2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress 3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151 From dmesg, we will observe kernel NULL pointer ooops [ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI <snip> [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac] <snip> [ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] [ 197.171367] tc_setup_cb_destroy+0xb3/0x180 [ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] The above issue is due to previous incorrect implementation of tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule() to get struct flow_rule *rule which is no longer valid for tc filter delete operation. struct flow_rule *rule = flow_cls_offload_flow_rule(cls); struct flow_dissector *dissector = rule->match.dissector; So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(), this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based. v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue.
Impacted products
Vendor Product Version
Linux Linux Version: 5.13
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-47592",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-20T15:19:38.436561Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-06T15:17:09.361Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:47:39.480Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac.h",
            "drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "97cb5c82aa1dd85a39b1bd021c8b5f18af623779",
              "status": "affected",
              "version": "0e039f5cf86ce2fcb62077a163e7ff3d7b7b7cf3",
              "versionType": "git"
            },
            {
              "lessThan": "aeb7c75cb77478fdbf821628e9c95c4baa9adc63",
              "status": "affected",
              "version": "0e039f5cf86ce2fcb62077a163e7ff3d7b7b7cf3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac.h",
            "drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix tc flower deletion for VLAN priority Rx steering\n\nTo replicate the issue:-\n\n1) Add 1 flower filter for VLAN Priority based frame steering:-\n$ IFDEVNAME=eth0\n$ tc qdisc add dev $IFDEVNAME ingress\n$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \\\n   map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \\\n   queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \\\n   flower vlan_prio 0 hw_tc 0\n\n2) Get the \u0027pref\u0027 id\n$ tc filter show dev $IFDEVNAME ingress\n\n3) Delete a specific tc flower record (say pref 49151)\n$ tc filter del dev $IFDEVNAME parent ffff: pref 49151\n\nFrom dmesg, we will observe kernel NULL pointer ooops\n\n[  197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[  197.171367] #PF: supervisor read access in kernel mode\n[  197.171367] #PF: error_code(0x0000) - not-present page\n[  197.171367] PGD 0 P4D 0\n[  197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI\n\n\u003csnip\u003e\n\n[  197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]\n\n\u003csnip\u003e\n\n[  197.171367] Call Trace:\n[  197.171367]  \u003cTASK\u003e\n[  197.171367]  ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]\n[  197.171367]  stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]\n[  197.171367]  tc_setup_cb_destroy+0xb3/0x180\n[  197.171367]  fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\n\nThe above issue is due to previous incorrect implementation of\ntc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()\nto get struct flow_rule *rule which is no longer valid for tc filter\ndelete operation.\n\n  struct flow_rule *rule = flow_cls_offload_flow_rule(cls);\n  struct flow_dissector *dissector = rule-\u003ematch.dissector;\n\nSo, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for\nearlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),\nthis patch introduces stmmac_rfs_entry as driver-side flow_cls_offload\nrecord for \u0027RX frame steering\u0027 tc flower, currently used for VLAN\npriority. The implementation has taken consideration for future extension\nto include other type RX frame steering such as EtherType based.\n\nv2:\n - Clean up overly extensive backtrace and rewrite git message to better\n   explain the kernel NULL pointer issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:45:23.578Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779"
        },
        {
          "url": "https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63"
        }
      ],
      "title": "net: stmmac: fix tc flower deletion for VLAN priority Rx steering",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47592",
    "datePublished": "2024-06-19T14:53:55.574Z",
    "dateReserved": "2024-05-24T15:11:00.733Z",
    "dateUpdated": "2024-12-19T07:45:23.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47592\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-19T15:15:53.793\",\"lastModified\":\"2024-11-21T06:36:37.303\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: stmmac: fix tc flower deletion for VLAN priority Rx steering\\n\\nTo replicate the issue:-\\n\\n1) Add 1 flower filter for VLAN Priority based frame steering:-\\n$ IFDEVNAME=eth0\\n$ tc qdisc add dev $IFDEVNAME ingress\\n$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \\\\\\n   map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \\\\\\n   queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\\n$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \\\\\\n   flower vlan_prio 0 hw_tc 0\\n\\n2) Get the \u0027pref\u0027 id\\n$ tc filter show dev $IFDEVNAME ingress\\n\\n3) Delete a specific tc flower record (say pref 49151)\\n$ tc filter del dev $IFDEVNAME parent ffff: pref 49151\\n\\nFrom dmesg, we will observe kernel NULL pointer ooops\\n\\n[  197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[  197.171367] #PF: supervisor read access in kernel mode\\n[  197.171367] #PF: error_code(0x0000) - not-present page\\n[  197.171367] PGD 0 P4D 0\\n[  197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI\\n\\n\u003csnip\u003e\\n\\n[  197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]\\n\\n\u003csnip\u003e\\n\\n[  197.171367] Call Trace:\\n[  197.171367]  \u003cTASK\u003e\\n[  197.171367]  ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]\\n[  197.171367]  stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]\\n[  197.171367]  tc_setup_cb_destroy+0xb3/0x180\\n[  197.171367]  fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\\n\\nThe above issue is due to previous incorrect implementation of\\ntc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()\\nto get struct flow_rule *rule which is no longer valid for tc filter\\ndelete operation.\\n\\n  struct flow_rule *rule = flow_cls_offload_flow_rule(cls);\\n  struct flow_dissector *dissector = rule-\u003ematch.dissector;\\n\\nSo, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for\\nearlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),\\nthis patch introduces stmmac_rfs_entry as driver-side flow_cls_offload\\nrecord for \u0027RX frame steering\u0027 tc flower, currently used for VLAN\\npriority. The implementation has taken consideration for future extension\\nto include other type RX frame steering such as EtherType based.\\n\\nv2:\\n - Clean up overly extensive backtrace and rewrite git message to better\\n   explain the kernel NULL pointer issue.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: stmmac: corrija la eliminaci\u00f3n de flores tc para la direcci\u00f3n Rx con prioridad de VLAN Para replicar el problema: - 1) Agregue 1 filtro de flores para la direcci\u00f3n de cuadros basada en prioridad de VLAN: - $ IFDEVNAME=eth0 $ tc qdisc agregar dev $IFDEVNAME ingreso $ tc qdisc agregar dev $IFDEVNAME ra\u00edz mqprio num_tc 8 \\\\ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 \\\\ colas 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocolo 802.1Q \\\\ flower vlan_prio 0 hw_tc 0 2) Obtener el id \u0027pref\u0027 $ tc filter show dev $IFDEVNAME ingress 3 ) Eliminar un registro de flor tc espec\u00edfico (digamos pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151 Desde dmesg, observaremos el puntero NULL del kernel ooops [ 197.170464] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 00000000000000000 [ 197.171367] #PF: acceso de lectura de supervisor en modo kernel [ 197.171367] #PF: error_code(0x0000) - p\u00e1gina no presente [ 197.171367] PGD 0 P4D 0 [ 197.171367] Ups: 0000 [#1] PREEMPT SMP NOPTI  [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]  [ 197.171367] Seguimiento de llamadas: [ 197.171367]  [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] [ 197.171367] tc_setup_cb_destroy+0xb3/0x180 [ 197.171367] destroy_filter+0x94/0xc0 [cls_flower] El problema anterior se debe a una implementaci\u00f3n anterior incorrecta de tc_del_vlan_flow( ), que se muestra a continuaci\u00f3n, que usa flow_cls_offload_flow_rule() para obtener la estructura flow_rule *rule que ya no es v\u00e1lida para la operaci\u00f3n de eliminaci\u00f3n del filtro tc. estructura flow_rule *regla = flow_cls_offload_flow_rule(cls); estructura flow_dissector *dissector = regla-\u0026gt;match.dissector; Por lo tanto, para garantizar que tc_del_vlan_flow() elimine el registro VLAN cls correcto para la cola RX configurada anteriormente (configurada por hw_tc) en tc_add_vlan_flow(), este parche introduce stmmac_rfs_entry como registro flow_cls_offload del lado del controlador para la flor tc \u0027Direcci\u00f3n de trama RX\u0027, actualmente utilizada para Prioridad de VLAN. La implementaci\u00f3n ha tenido en cuenta una futura ampliaci\u00f3n para incluir otro tipo de direcci\u00f3n de bastidor RX, como la basada en EtherType. v2: - Limpiar el rastreo demasiado extenso y reescribir el mensaje de git para explicar mejor el problema del puntero NULL del kernel.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.13\",\"versionEndExcluding\":\"5.15.11\",\"matchCriteriaId\":\"D42075C1-1BC2-41C8-B06D-3A7E0EDABE84\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"357AA433-37E8-4323-BFB2-3038D6E4B414\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A73429BA-C2D9-4D0C-A75F-06A1CA8B3983\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F621B5E3-E99D-49E7-90B9-EC3B77C95383\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7BFDCAA-1650-49AA-8462-407DD593F94F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"6EC9882F-866D-4ACB-8FBC-213D8D8436C8\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.