CVE-2021-47146

mld: fix panic in mld_newpack()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

mld: fix panic in mld_newpack()

mld_newpack() doesn't allow to allocate high order page,
only order-0 allocation is allowed.
If headroom size is too large, a kernel panic could occur in skb_put().

Test commands:
ip netns del A
ip netns del B
ip netns add A
ip netns add B
ip link add veth0 type veth peer name veth1
ip link set veth0 netns A
ip link set veth1 netns B

ip netns exec A ip link set lo up
ip netns exec A ip link set veth0 up
ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0
ip netns exec B ip link set lo up
ip netns exec B ip link set veth1 up
ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1
for i in {1..99}
do
let A=$i-1
ip netns exec A ip link add ip6gre$i type ip6gre \n local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100
ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i
ip netns exec A ip link set ip6gre$i up

ip netns exec B ip link add ip6gre$i type ip6gre \n local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100
ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i
ip netns exec B ip link set ip6gre$i up
done

Splat looks like:
kernel BUG at net/core/skbuff.c:110!
invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:skb_panic+0x15d/0x15f
Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83
41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89
34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20
RSP: 0018:ffff88810091f820 EFLAGS: 00010282
RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000
RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb
RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031
R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028
R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0
FS: 0000000000000000(0000) GS:ffff888117c00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
skb_put.cold.104+0x22/0x22
ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
? rcu_read_lock_sched_held+0x91/0xc0
mld_newpack+0x398/0x8f0
? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600
? lock_contended+0xc40/0xc40
add_grhead.isra.33+0x280/0x380
add_grec+0x5ca/0xff0
? mld_sendpack+0xf40/0xf40
? lock_downgrade+0x690/0x690
mld_send_initial_cr.part.34+0xb9/0x180
ipv6_mc_dad_complete+0x15d/0x1b0
addrconf_dad_completed+0x8d2/0xbb0
? lock_downgrade+0x690/0x690
? addrconf_rs_timer+0x660/0x660
? addrconf_dad_work+0x73c/0x10e0
addrconf_dad_work+0x73c/0x10e0

Allowing high order page allocation could fix this problem.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mld: corrige el pánico en mld_newpack() mld_newpack() no permite asignar páginas de orden superior, solo se permite la asignación de orden 0. Si el tamaño del espacio libre es demasiado grande, podría ocurrir un pánico en el kernel en skb_put(). Comandos de prueba: ip netns del A ip netns del B ip netns agregar A ip netns agregar enlace ip B agregar veth0 tipo nombre de par veth veth1 conjunto de enlace ip veth0 netns A conjunto de enlace ip veth1 netns B ip netns exec A enlace ip configurar lo up ip netns exec A configuración de enlace ip veth0 up ip netns exec A ip -6 aa 2001:db8:0::1/64 dev veth0 ip netns exec B configuración de enlace ip lo up ip netns exec B configuración de enlace ip veth1 up ip netns exec B ip -6 aa 2001:db8:0::2/64 dev veth1 para i en {1..99} haga let A=$i-1 ip netns exec Un enlace ip agregue ip6gre$i escriba ip6gre \ local 2001:db8 :$A::1 remoto 2001:db8:$A::2 encaplimit 100 ip netns exec A ip -6 aa 2001:db8:$i::1/64 dev ip6gre$i ip netns exec A conjunto de enlaces ip ip6gre$ Subo ip netns exec B enlace ip agregue ip6gre$escribo ip6gre \ local 2001:db8:$A::2 remoto 2001:db8:$A::1 encaplimit 100 ip netns exec B ip -6 aa 2001:db8:$ i::2/64 dev ip6gre$i ip netns exec B ip link set ip6gre$i listo Splat se ve así: ¡ERROR del kernel en net/core/skbuff.c:110! código de operación no válido: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891 Cola de trabajo: ipv6_addrconf addrconf_dad_work RIP: 0010:skb_panic+0x15d/0x15f Código: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83 41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89 34 24 e 8 4a 4e 92fe 8b 34 24 48 c7 c1 20 RSP: 0018:ffff88810091f820 EFLAGS: 00010282 RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000 RDX: 0000 000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031 R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028 R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0 FS: 00000000000000000(0000) GS:ffff888117c00000(0000) k nlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0 DR0: 0000000000000000 DR1 : 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 skb_put.cold.104+0x22/0x22 ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? rcu_read_lock_sched_held+0x91/0xc0 mld_newpack+0x398/0x8f0? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600? lock_contended+0xc40/0xc40 add_grhead.isra.33+0x280/0x380 add_grec+0x5ca/0xff0 ? mld_sendpack+0xf40/0xf40? lock_downgrade+0x690/0x690 mld_send_initial_cr.part.34+0xb9/0x180 ipv6_mc_dad_complete+0x15d/0x1b0 addrconf_dad_completed+0x8d2/0xbb0 ? lock_downgrade+0x690/0x690? addrconf_rs_timer+0x660/0x660? addrconf_dad_work+0x73c/0x10e0 addrconf_dad_work+0x73c/0x10e0 Permitir la asignación de páginas de alto orden podría solucionar este problema.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-04 CVE Reserved
2024-03-25 CVE Published
2024-03-26 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/72e09ad107e78d69ff4d3b97a69f0aad2b77280f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0e35b7457b7b6e73ffeaaca1a577fdf1af0feca1	2021-06-03
https://git.kernel.org/stable/c/17728616a4c85baf0edc975c60ba4e4157684d9a	2021-06-03
https://git.kernel.org/stable/c/221142038f36d9f28b64e83e954774da4d4ccd17	2021-06-03
https://git.kernel.org/stable/c/4b77ad9097067b31237eeeee0bf70f80849680a0	2021-06-03
https://git.kernel.org/stable/c/37d697759958d111439080bab7e14d2b0e7b39f5	2021-06-03
https://git.kernel.org/stable/c/beb39adb150f8f3b516ddf7c39835a9788704d23	2021-06-03
https://git.kernel.org/stable/c/a76fb9ba545289379acf409653ad5f74417be59c	2021-06-03
https://git.kernel.org/stable/c/020ef930b826d21c5446fdc9db80fd72a791bc21	2021-05-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 4.4.271 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 4.4.271"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 4.9.271 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 4.9.271"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 4.14.235 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 4.14.235"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 4.19.193 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 4.19.193"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.4.124 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.4.124"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.10.42 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.10.42"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.12.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.12.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.35 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.35 < 5.13"		en		Affected