CVE-2021-47131

net/tls: Fix use-after-free after the TLS device goes down and up

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net/tls: Fix use-after-free after the TLS device goes down and up

When a netdev with active TLS offload goes down, tls_device_down is
called to stop the offload and tear down the TLS context. However, the
socket stays alive, and it still points to the TLS context, which is now
deallocated. If a netdev goes up, while the connection is still active,
and the data flow resumes after a number of TCP retransmissions, it will
lead to a use-after-free of the TLS context.

This commit addresses this bug by keeping the context alive until its
normal destruction, and implements the necessary fallbacks, so that the
connection can resume in software (non-offloaded) kTLS mode.

On the TX side tls_sw_fallback is used to encrypt all packets. The RX
side already has all the necessary fallbacks, because receiving
non-decrypted packets is supported. The thing needed on the RX side is
to block resync requests, which are normally produced after receiving
non-decrypted packets.

The necessary synchronization is implemented for a graceful teardown:
first the fallbacks are deployed, then the driver resources are released
(it used to be possible to have a tls_dev_resync after tls_dev_del).

A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback
mode. It's used to skip the RX resync logic completely, as it becomes
useless, and some objects may be released (for example, resync_async,
which is allocated and freed by the driver).

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/tls: corrige el use-after-free después de que el dispositivo TLS se cae y se enciende. Cuando un netdev con descarga TLS activa se cae, se llama a tls_device_down para detener la descarga y derribarlo. el contexto TLS. Sin embargo, el socket permanece activo y todavía apunta al contexto TLS, que ahora está desasignado. Si se activa un netdev, mientras la conexión aún está activa, y el flujo de datos se reanuda después de varias retransmisiones TCP, se producirá un use-after-free del contexto TLS. Esta commit soluciona este error manteniendo vivo el contexto hasta su destrucción normal e implementa las alternativas necesarias para que la conexión pueda reanudarse en modo kTLS de software (no descargado). En el lado TX, tls_sw_fallback se utiliza para cifrar todos los paquetes. El lado RX ya tiene todos los respaldos necesarios, porque se admite la recepción de paquetes no descifrados. Lo que se necesita en el lado RX es bloquear las solicitudes de resincronización, que normalmente se producen después de recibir paquetes no descifrados. Se implementa la sincronización necesaria para un desmontaje elegante: primero se implementan los respaldos, luego se liberan los recursos del controlador (antes era posible tener un tls_dev_resync después de tls_dev_del). Se agrega una nueva bandera llamada TLS_RX_DEV_DEGRADED para indicar el modo de reserva. Se utiliza para omitir completamente la lógica de resincronización RX, ya que se vuelve inútil y algunos objetos pueden liberarse (por ejemplo, resync_async, que el controlador asigna y libera).

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-04 CVE Reserved
2024-03-15 CVE Published
2024-03-16 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/e8f69799810c32dd40c6724d829eccc70baad07f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f1d4184f128dede82a59a841658ed40d4e6d3aa2	2021-06-10
https://git.kernel.org/stable/c/0f1e6fe66977a864fe850522316f713d7b926fd9	2021-06-10
https://git.kernel.org/stable/c/c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4	2021-06-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.10.43 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.10.43"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.12.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.12.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.13"		en		Affected