CVE-2021-47496
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tls: Fix flipped sign in tls_err_abort() calls
sk->sk_err appears to expect a positive value, a convention that ktls doesn't always follow and that leads to memory corruption in other code. For instance,
[kworker]
tls_encrypt_done(..., err=<negative error from crypto request>)
tls_err_abort(.., err)
sk->sk_err = err;
[task]
splice_from_pipe_feed
...
tls_sw_do_sendpage
if (sk->sk_err) {
ret = -sk->sk_err; // ret is positive
splice_from_pipe_feed (continued)
ret = actor(...) // ret is still positive and interpreted as bytes
// written, resulting in underflow of buf->len and
// sd->len, leading to huge buf->offset and bogus
// addresses computed in later calls to actor()
Fix all tls_err_abort() callers to pass a negative error code consistently and centralize the error-prone sign flip there, throwing in a warning to catch future misuse and uninlining the function so it really does only warn once.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c46234ebb4d1eee5e09819f49169e51cfc6eb909 < e0cfd5159f314d6b304d030363650b06a2299cbb | affected |
| Linux | Linux | c46234ebb4d1eee5e09819f49169e51cfc6eb909 < f3dec7e7ace38224f82cf83f0049159d067c2e19 | affected |
| Linux | Linux | c46234ebb4d1eee5e09819f49169e51cfc6eb909 < e41473543f75f7dbc5d605007e6f883f1bd13b9a | affected |
| Linux | Linux | c46234ebb4d1eee5e09819f49169e51cfc6eb909 < da353fac65fede6b8b4cfe207f0d9408e3121105 | affected |
| Linux | Linux | 4.17 | affected |
| Linux | Linux | 0 < 4.17 | unaffected |
| Linux | Linux | 5.4.157 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.77 <= 5.10.* | unaffected |
| Linux | Linux | 5.14.16 <= 5.14.* | unaffected |
| Linux | Linux | 5.15 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/e0cfd5159f314d6b304d030363650b06a2299cbb
- https://git.kernel.org/stable/c/f3dec7e7ace38224f82cf83f0049159d067c2e19
- https://git.kernel.org/stable/c/e41473543f75f7dbc5d605007e6f883f1bd13b9a
- https://git.kernel.org/stable/c/da353fac65fede6b8b4cfe207f0d9408e3121105
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/e0cfd5159f314d6b304d030363650b06a2299cbb
- https://git.kernel.org/stable/c/f3dec7e7ace38224f82cf83f0049159d067c2e19
- https://git.kernel.org/stable/c/e41473543f75f7dbc5d605007e6f883f1bd13b9a
- https://git.kernel.org/stable/c/da353fac65fede6b8b4cfe207f0d9408e3121105
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.