CVE-2021-47452

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: skip netdev events generated on netns removal

syzbot reported following (harmless) WARN:

WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468 nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [inline] nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [inline] __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524 nft_netdev_event net/netfilter/nft_chain_filter.c:351 [inline] nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382

reproducer: unshare -n bash -c 'ip link add br0 type bridge; nft add table netdev t ;
nft add chain netdev t ingress { type filter hook ingress device "br0"
priority 0; policy drop; }'

Problem is that when netns device exit hooks create the UNREGISTER event, the .pre_exit hook for nf_tables core has already removed the base hook. Notifier attempts to do this again.

The need to do base hook unregister unconditionally was needed in the past, because notifier was last stage where reg->dev dereference was safe.

Now that nf_tables does the hook removal in .pre_exit, this isn't needed anymore.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux767d1216bff82507c945e92fe719dff2083bb2f4 < 90c7c58aa2bd02c65a4c63b7dfe0b16eab12cf9faffected
LinuxLinux767d1216bff82507c945e92fe719dff2083bb2f4 < 68a3765c659f809dcaac20030853a054646eb739affected
LinuxLinuxb110391d1e806167254d3c7ae5d637191d913175affected
LinuxLinux0a0e5d47670b753d3dbf88f3c77a97a30864d9bdaffected
LinuxLinux5.4.99 < 5.5affected
LinuxLinux5.10.17 < 5.11affected
LinuxLinux5.11affected
LinuxLinux0 < 5.11unaffected
LinuxLinux5.14.15 <= 5.14.*unaffected
LinuxLinux5.15 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References