ghsa-4gxv-hggr-2473
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: serialize hash resizes and cleanups
Syzbot was able to trigger the following warning [1]
No repro found by syzbot yet but I was able to trigger similar issue by having 2 scripts running in parallel, changing conntrack hash sizes, and:
for j in seq 1 1000
; do unshare -n /bin/true >/dev/null ; done
It would take more than 5 minutes for net_namespace structures to be cleaned up.
This is because nf_ct_iterate_cleanup() has to restart everytime a resize happened.
By adding a mutex, we can serialize hash resizes and cleanups and also make get_next_corpse() faster by skipping over empty buckets.
Even without resizes in the picture, this patch considerably speeds up network namespace dismantles.
[1] INFO: task syz-executor.0:8312 can't die for more than 144 seconds. task:syz-executor.0 state:R running task stack:25672 pid: 8312 ppid: 6573 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35 __local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390 local_bh_enable include/linux/bottom_half.h:32 [inline] get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline] nf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275 nf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171 setup_net+0x639/0xa30 net/core/net_namespace.c:349 copy_net_ns+0x319/0x760 net/core/net_namespace.c:470 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226 ksys_unshare+0x445/0x920 kernel/fork.c:3128 __do_sys_unshare kernel/fork.c:3202 [inline] __se_sys_unshare kernel/fork.c:3200 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f63da68e739 RSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80 R13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000
Showing all locks held in the system: 1 lock held by khungtaskd/27: #0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446 2 locks held by kworker/u4:2/153: #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268 #1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272 1 lock held by systemd-udevd/2970: 1 lock held by in:imklog/6258: #0: ffff88807f970ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990 3 locks held by kworker/1:6/8158: 1 lock held by syz-executor.0/8312: 2 locks held by kworker/u4:13/9320: 1 lock held by ---truncated---
{ "affected": [], "aliases": [ "CVE-2021-47408" ], "database_specific": { "cwe_ids": [], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-21T15:15:26Z", "severity": "MODERATE" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: serialize hash resizes and cleanups\n\nSyzbot was able to trigger the following warning [1]\n\nNo repro found by syzbot yet but I was able to trigger similar issue\nby having 2 scripts running in parallel, changing conntrack hash sizes,\nand:\n\nfor j in `seq 1 1000` ; do unshare -n /bin/true \u003e/dev/null ; done\n\nIt would take more than 5 minutes for net_namespace structures\nto be cleaned up.\n\nThis is because nf_ct_iterate_cleanup() has to restart everytime\na resize happened.\n\nBy adding a mutex, we can serialize hash resizes and cleanups\nand also make get_next_corpse() faster by skipping over empty\nbuckets.\n\nEven without resizes in the picture, this patch considerably\nspeeds up network namespace dismantles.\n\n[1]\nINFO: task syz-executor.0:8312 can\u0027t die for more than 144 seconds.\ntask:syz-executor.0 state:R running task stack:25672 pid: 8312 ppid: 6573 flags:0x00004006\nCall Trace:\n context_switch kernel/sched/core.c:4955 [inline]\n __schedule+0x940/0x26f0 kernel/sched/core.c:6236\n preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408\n preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35\n __local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390\n local_bh_enable include/linux/bottom_half.h:32 [inline]\n get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline]\n nf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275\n nf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469\n ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171\n setup_net+0x639/0xa30 net/core/net_namespace.c:349\n copy_net_ns+0x319/0x760 net/core/net_namespace.c:470\n create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226\n ksys_unshare+0x445/0x920 kernel/fork.c:3128\n __do_sys_unshare kernel/fork.c:3202 [inline]\n __se_sys_unshare kernel/fork.c:3200 [inline]\n __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f63da68e739\nRSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000\nRBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80\nR13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000\n\nShowing all locks held in the system:\n1 lock held by khungtaskd/27:\n #0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446\n2 locks held by kworker/u4:2/153:\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline]\n #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268\n #1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272\n1 lock held by systemd-udevd/2970:\n1 lock held by in:imklog/6258:\n #0: ffff88807f970ff0 (\u0026f-\u003ef_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990\n3 locks held by kworker/1:6/8158:\n1 lock held by syz-executor.0/8312:\n2 locks held by kworker/u4:13/9320:\n1 lock held by\n---truncated---", "id": "GHSA-4gxv-hggr-2473", "modified": "2024-11-01T18:31:25Z", "published": "2024-05-21T15:31:45Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47408" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/7ea6f5848281182ce0cff6cafdcf3fbdeb8ca7e1" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/e2d192301a0df8160d1555b66ae8611e8050e424" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/e9edc188fc76499b0b9bd60364084037f6d03773" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ] }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.