CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47106 – netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()
https://notcve.org/view.php?id=CVE-2021-47106
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy() We need to use list_for_each_entry_safe() iterator because we can not access @catchall after kfree_rcu() call. syzbot reported: BUG: KASAN: use-after-free in nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline] BUG: KASAN: use-after-free in nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] BUG: KASAN: use-after-free in nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493 Read of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871 CPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline] nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline] nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493 __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626 nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 blocking_notifier_call_chain kernel/notifier.c:318 [inline] blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306 netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788 __sock_release+0xcd/0x280 net/socket.c:649 sock_close+0x18/0x20 net/socket.c:1314 __fput+0x286/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f75fbf28adb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb RDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830 R10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3 R13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032 </TASK> Allocated by task 8886: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:269 [inline] kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3575 kmalloc include/linux/slab.h:590 [inline] nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline] nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline] nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936 nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032 nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/ ---truncated--- • https://git.kernel.org/stable/c/aaa31047a6d25da0fa101da1ed544e1247949b40 https://git.kernel.org/stable/c/9d558e5f0d6fdd0a568f73dceb0b40c4f5012e5a https://git.kernel.org/stable/c/0f7d9b31ce7abdbb29bf018131ac920c9f698518 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47105 – ice: xsk: return xsk buffers back to pool when cleaning the ring
https://notcve.org/view.php?id=CVE-2021-47105
In the Linux kernel, the following vulnerability has been resolved: ice: xsk: return xsk buffers back to pool when cleaning the ring Currently we only NULL the xdp_buff pointer in the internal SW ring but we never give it back to the xsk buffer pool. This means that buffers can be leaked out of the buff pool and never be used again. Add missing xsk_buff_free() call to the routine that is supposed to clean the entries that are left in the ring so that these buffers in the umem can be used by other sockets. Also, only go through the space that is actually left to be cleaned instead of a whole ring. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: xsk: devuelve los buffers xsk al grupo al limpiar el anillo. Actualmente solo hacemos NULL en el puntero xdp_buff en el anillo SW interno, pero nunca lo devolvemos al grupo de buffers xsk. Esto significa que los buffers se pueden filtrar fuera del grupo de buffers y no volver a usarse nunca más. • https://git.kernel.org/stable/c/2d4238f5569722197612656163d824098208519c https://git.kernel.org/stable/c/ad6d20da2cfbe14b7b1200d15f39e65988b0b9e8 https://git.kernel.org/stable/c/afe8a3ba85ec2a6b6849367e25c06a2f8e0ddd05 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2021-47104 – IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
https://notcve.org/view.php?id=CVE-2021-47104
In the Linux kernel, the following vulnerability has been resolved: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() The wrong goto label was used for the error case and missed cleanup of the pkt allocation. Addresses-Coverity-ID: 1493352 ("Resource leak") En el kernel de Linux, se resolvió la siguiente vulnerabilidad: IB/qib: corrige la pérdida de memoria en qib_user_sdma_queue_pkts() Se utilizó la etiqueta goto incorrecta para el caso de error y se omitió la limpieza de la asignación de paquetes. Direcciones-Coverity-ID: 1493352 ("Fuga de recursos") • https://git.kernel.org/stable/c/bda41654b6e0c125a624ca35d6d20beb8015b5d0 https://git.kernel.org/stable/c/3f57c3f67fd93b4da86aeffea1ca32c484d054ad https://git.kernel.org/stable/c/60833707b968d5ae02a75edb7886dcd4a957cf0d https://git.kernel.org/stable/c/73d2892148aa4397a885b4f4afcfc5b27a325c42 https://git.kernel.org/stable/c/0f8cdfff06829a0b0348b6debc29ff6a61967724 https://git.kernel.org/stable/c/c3e17e58f571f34c51aeb17274ed02c2ed5cf780 https://git.kernel.org/stable/c/d39bf40e55e666b5905fdbd46a0dced030ce87be https://git.kernel.org/stable/c/0d4395477741608d123dad51def9fe50b •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2021-47103 – inet: fully convert sk->sk_rx_dst to RCU rules
https://notcve.org/view.php?id=CVE-2021-47103
In the Linux kernel, the following vulnerability has been resolved: inet: fully convert sk->sk_rx_dst to RCU rules syzbot reported various issues around early demux, one being included in this changelog [1] sk->sk_rx_dst is using RCU protection without clearly documenting it. And following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv() are not following standard RCU rules. [a] dst_release(dst); [b] sk->sk_rx_dst = NULL; They look wrong because a delete operation of RCU protected pointer is supposed to clear the pointer before the call_rcu()/synchronize_rcu() guarding actual memory freeing. In some cases indeed, dst could be freed before [b] is done. We could cheat by clearing sk_rx_dst before calling dst_release(), but this seems the right time to stick to standard RCU annotations and debugging facilities. [1] BUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline] BUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 Read of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204 CPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 dst_check include/net/dst.h:470 [inline] tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792 ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340 ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583 ip_sublist_rcv net/ipv4/ip_input.c:609 [inline] ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644 __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline] __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556 __netif_receive_skb_list net/core/dev.c:5608 [inline] netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699 gro_normal_list net/core/dev.c:5853 [inline] gro_normal_list net/core/dev.c:5849 [inline] napi_complete_done+0x1f1/0x880 net/core/dev.c:6590 virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline] virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557 __napi_poll+0xaf/0x440 net/core/dev.c:7023 napi_poll net/core/dev.c:7090 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:7177 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240 asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629 RIP: 0033:0x7f5e972bfd57 Code: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73 RSP: 002b:00007fff8a413210 EFLAGS: 00000283 RAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45 RDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45 RBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9 R10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0 R13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019 </TASK> Allocated by task 13: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:259 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:3234 [inline] slab_alloc mm/slub.c:3242 [inline] kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247 dst_alloc+0x146/0x1f0 net/core/dst.c:92 rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613 ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:234 ---truncated--- En el kernel de Linux, se resolvió la siguiente vulnerabilidad: inet: conversión completa de sk->sk_rx_dst a reglas de RCU syzbot informó varios problemas relacionados con la demux inicial, uno de los cuales se incluye en este registro de cambios [1] sk->sk_rx_dst está usando protección de RCU sin claridad documentándolo. Y las siguientes secuencias en tcp_v4_do_rcv()/tcp_v6_do_rcv() no siguen las reglas estándar de RCU. [a] dst_release(dst); [b] sk->sk_rx_dst = NULL; Se ven incorrectos porque se supone que una operación de eliminación del puntero protegido de RCU borra el puntero antes de que call_rcu()/synchronize_rcu() proteja la liberación de memoria real. De hecho, en algunos casos, dst podría liberarse antes de que se realice [b]. Podríamos hacer trampa borrando sk_rx_dst antes de llamar a dst_release(), pero este parece el momento adecuado para ceñirnos a las anotaciones estándar de RCU y las funciones de depuración • https://git.kernel.org/stable/c/41063e9dd11956f2d285e12e4342e1d232ba0ea2 https://git.kernel.org/stable/c/68c34ce11ef23328692aa35fa6aaafdd75913100 https://git.kernel.org/stable/c/92e6e36ecd16808866ac6172b9491b5097cde449 https://git.kernel.org/stable/c/75a578000ae5e511e5d0e8433c94a14d9c99c412 https://git.kernel.org/stable/c/c3bb4a7e8cbc984e1cdac0fe6af60e880214ed6e https://git.kernel.org/stable/c/f039b43cbaea5e0700980c2f0052da05a70782e0 https://git.kernel.org/stable/c/0249a4b8a554f2eb6a27b62516fa50168584faa4 https://git.kernel.org/stable/c/8f905c0e7354ef261360fb7535ea079b1 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47102 – net: marvell: prestera: fix incorrect structure access
https://notcve.org/view.php?id=CVE-2021-47102
In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix incorrect structure access In line: upper = info->upper_dev; We access upper_dev field, which is related only for particular events (e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory access for another events, when ptr is not netdev_notifier_changeupper_info. The KASAN logs are as follows: [ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778 [ 30.139866] [ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6 [ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 30.153056] Call trace: [ 30.155547] dump_backtrace+0x0/0x2c0 [ 30.159320] show_stack+0x18/0x30 [ 30.162729] dump_stack_lvl+0x68/0x84 [ 30.166491] print_address_description.constprop.0+0x74/0x2b8 [ 30.172346] kasan_report+0x1e8/0x250 [ 30.176102] __asan_load8+0x98/0xe0 [ 30.179682] prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [ 30.186847] prestera_netdev_event_handler+0x1b4/0x1c0 [prestera] [ 30.193313] raw_notifier_call_chain+0x74/0xa0 [ 30.197860] call_netdevice_notifiers_info+0x68/0xc0 [ 30.202924] register_netdevice+0x3cc/0x760 [ 30.207190] register_netdev+0x24/0x50 [ 30.211015] prestera_device_register+0x8a0/0xba0 [prestera] En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: net:marvell:prestera: corrige el acceso a la estructura incorrecta En línea: superior = info->upper_dev; Accedemos al campo Upper_dev, que está relacionado sólo para eventos particulares (por ejemplo, evento == NETDEV_CHANGEUPPER). Entonces, esta línea causa un acceso no válido a la memoria para otros eventos, cuando ptr no es netdev_notifier_changeupper_info. Los registros de KASAN son los siguientes: [30.123165] ERROR: KASAN: pila fuera de los límites en prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera] [30.133336] Lectura de tamaño 8 en la dirección ffff80000cf772b0 mediante tarea udevd/778 [ 0x0/0 x2c0 [ 30.159320] show_stack+0x18/0x30 [ 30.162729] dump_stack_lvl+0x68/0x84 [ 30.166491] print_address_description.constprop.0+0x74/0x2b8 [ 30.172346] kasan_report+0x1e8/0x250 [ 3 0.176102] __asan_load8+0x98/0xe0 [ 30.179682] prestera_netdev_port_event.constprop .0+0x68/0x538 [prestera] [ 30.186847] prestera_netdev_event_handler+0x1b4/0x1c0 [prestera] [ 30.193313] raw_notifier_call_chain+0x74/0xa0 [ 30.197860] call_netdevice_notifiers_info+0x68/0xc0 [ 30.202924] registro_netdevice+0x3cc/0x760 [ 30.207190] registro_netdev+0x24 /0x50 [ 30.211015] prestera_device_register+0x8a0/0xba0 [prestera] • https://git.kernel.org/stable/c/3d5048cc54bd250cfbb358c37fcc011135977887 https://git.kernel.org/stable/c/5c553a0cd1263e4da5f220d80fa713fc3959c1d0 https://git.kernel.org/stable/c/2efc2256febf214e7b2bdaa21fe6c3c3146acdcb •