ghsa-q6h5-3vm3-9h46
Vulnerability from github
Published
2024-05-22 09:31
Modified
2024-05-22 09:31
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value

Currently, when the rule related to IDLETIMER is added, idletimer_tg timer structure is initialized by kmalloc on executing idletimer_tg_create function. However, in this process timer->timer_type is not defined to a specific value. Thus, timer->timer_type has garbage value and it occurs kernel panic. So, this commit fixes the panic by initializing timer->timer_type using kzalloc instead of kmalloc.

Test commands: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed

Splat looks like: BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70 Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] dev_attr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? device_remove_bin_file+0x20/0x20 kernfs_seq_show+0xa4/0xb0 seq_read_iter+0x29c/0x750 kernfs_fop_read_iter+0x25a/0x2c0 ? __fsnotify_parent+0x3d1/0x570 ? iov_iter_init+0x70/0x90 new_sync_read+0x2a7/0x3d0 ? __x64_sys_llseek+0x230/0x230 ? rw_verify_area+0x81/0x150 vfs_read+0x17b/0x240 ksys_read+0xd9/0x180 ? vfs_write+0x460/0x460 ? do_syscall_64+0x16/0xc0 ? lockdep_hardirqs_on+0x79/0x120 __x64_sys_read+0x43/0x50 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47451"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T07:15:10Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\n\nCurrently, when the rule related to IDLETIMER is added, idletimer_tg timer\nstructure is initialized by kmalloc on executing idletimer_tg_create\nfunction. However, in this process timer-\u003etimer_type is not defined to\na specific value. Thus, timer-\u003etimer_type has garbage value and it occurs\nkernel panic. So, this commit fixes the panic by initializing\ntimer-\u003etimer_type using kzalloc instead of kmalloc.\n\nTest commands:\n    # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test\n    $ cat /sys/class/xt_idletimer/timers/test\n      Killed\n\nSplat looks like:\n    BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70\n    Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917\n    CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n    Call Trace:\n     dump_stack_lvl+0x6e/0x9c\n     kasan_report.cold+0x112/0x117\n     ? alarm_expires_remaining+0x49/0x70\n     __asan_load8+0x86/0xb0\n     alarm_expires_remaining+0x49/0x70\n     idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]\n     dev_attr_show+0x3c/0x60\n     sysfs_kf_seq_show+0x11d/0x1f0\n     ? device_remove_bin_file+0x20/0x20\n     kernfs_seq_show+0xa4/0xb0\n     seq_read_iter+0x29c/0x750\n     kernfs_fop_read_iter+0x25a/0x2c0\n     ? __fsnotify_parent+0x3d1/0x570\n     ? iov_iter_init+0x70/0x90\n     new_sync_read+0x2a7/0x3d0\n     ? __x64_sys_llseek+0x230/0x230\n     ? rw_verify_area+0x81/0x150\n     vfs_read+0x17b/0x240\n     ksys_read+0xd9/0x180\n     ? vfs_write+0x460/0x460\n     ? do_syscall_64+0x16/0xc0\n     ? lockdep_hardirqs_on+0x79/0x120\n     __x64_sys_read+0x43/0x50\n     do_syscall_64+0x3b/0xc0\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n    RIP: 0033:0x7f0cdc819142\n    Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n    RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n    RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142\n    RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003\n    RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000\n    R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0\n    R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000",
  "id": "GHSA-q6h5-3vm3-9h46",
  "modified": "2024-05-22T09:31:45Z",
  "published": "2024-05-22T09:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47451"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.