CVE-2021-47162

Summary

In the Linux kernel, the following vulnerability has been resolved:

tipc: skb_linearize the head skb when reassembling msgs

It's not a good idea to append the frag skb to a skb's frag_list if the frag_list already has skbs from elsewhere, such as this skb was created by pskb_copy() where the frag_list was cloned (all the skbs in it were skb_get'ed) and shared by multiple skbs.

However, the new appended frag skb should have been only seen by the current skb. Otherwise, it will cause use after free crashes as this appended frag skb are seen by multiple skbs but it only got skb_get called once.

The same thing happens with a skb updated by pskb_may_pull() with a skb_cloned skb. Li Shuang has reported quite a few crashes caused by this when doing testing over macvlan devices:

[] kernel BUG at net/core/skbuff.c:1970! [] Call Trace: [] skb_clone+0x4d/0xb0 [] macvlan_broadcast+0xd8/0x160 [macvlan] [] macvlan_process_broadcast+0x148/0x150 [macvlan] [] process_one_work+0x1a7/0x360 [] worker_thread+0x30/0x390

[] kernel BUG at mm/usercopy.c:102! [] Call Trace: [] __check_heap_object+0xd3/0x100 [] __check_object_size+0xff/0x16b [] simple_copy_to_iter+0x1c/0x30 [] __skb_datagram_iter+0x7d/0x310 [] __skb_datagram_iter+0x2a5/0x310 [] skb_copy_datagram_iter+0x3b/0x90 [] tipc_recvmsg+0x14a/0x3a0 [tipc] [] ____sys_recvmsg+0x91/0x150 [] ___sys_recvmsg+0x7b/0xc0

[] kernel BUG at mm/slub.c:305! [] Call Trace: [] <IRQ> [] kmem_cache_free+0x3ff/0x400 [] __netif_receive_skb_core+0x12c/0xc40 [] ? kmem_cache_alloc+0x12e/0x270 [] netif_receive_skb_internal+0x3d/0xb0 [] ? get_rx_page_info+0x8e/0xa0 [be2net] [] be_poll+0x6ef/0xd00 [be2net] [] ? irq_exit+0x4f/0x100 [] net_rx_action+0x149/0x3b0

This patch is to fix it by linearizing the head skb if it has frag_list set in tipc_buf_append(). Note that we choose to do this before calling skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can not just drop the frag_list either as the early time.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux45c8b7b175ceb2d542e0fe15247377bf3bce29ec < b2c8d28c34b3070407cb1741f9ba3f15d0284b8baffected
LinuxLinux45c8b7b175ceb2d542e0fe15247377bf3bce29ec < 5489f30bb78ff0dafb4229a69632afc2ba20765caffected
LinuxLinux45c8b7b175ceb2d542e0fe15247377bf3bce29ec < 436d650d374329a591c30339a91fa5078052ed1eaffected
LinuxLinux45c8b7b175ceb2d542e0fe15247377bf3bce29ec < 4b1761898861117c97066aea6c58f68a7787f0bfaffected
LinuxLinux45c8b7b175ceb2d542e0fe15247377bf3bce29ec < 64d17ec9f1ded042c4b188d15734f33486ed9966affected
LinuxLinux45c8b7b175ceb2d542e0fe15247377bf3bce29ec < 6da24cfc83ba4f97ea44fc7ae9999a006101755caffected
LinuxLinux45c8b7b175ceb2d542e0fe15247377bf3bce29ec < ace300eecbccaa698e2b472843c74a5f33f7dce8affected
LinuxLinux45c8b7b175ceb2d542e0fe15247377bf3bce29ec < b7df21cf1b79ab7026f545e7bf837bd5750ac026affected
LinuxLinuxd45ed6c1ff20d3640a31f03816ca2d48fb7d6f22affected
LinuxLinuxc19282fd54a19e4651a4e67836cd842082546677affected
LinuxLinux4.1.14 < 4.2affected
LinuxLinux4.2.7 < 4.3affected
LinuxLinux4.3affected
LinuxLinux0 < 4.3unaffected
LinuxLinux4.4.271 <= 4.4.*unaffected
LinuxLinux4.9.271 <= 4.9.*unaffected
LinuxLinux4.14.235 <= 4.14.*unaffected
LinuxLinux4.19.193 <= 4.19.*unaffected
LinuxLinux5.4.124 <= 5.4.*unaffected
LinuxLinux5.10.42 <= 5.10.*unaffected
LinuxLinux5.12.9 <= 5.12.*unaffected
LinuxLinux5.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References