CVE-2021-47162

tipc: skb_linearize the head skb when reassembling msgs

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

tipc: skb_linearize the head skb when reassembling msgs

It's not a good idea to append the frag skb to a skb's frag_list if
the frag_list already has skbs from elsewhere, such as this skb was
created by pskb_copy() where the frag_list was cloned (all the skbs
in it were skb_get'ed) and shared by multiple skbs.

However, the new appended frag skb should have been only seen by the
current skb. Otherwise, it will cause use after free crashes as this
appended frag skb are seen by multiple skbs but it only got skb_get
called once.

The same thing happens with a skb updated by pskb_may_pull() with a
skb_cloned skb. Li Shuang has reported quite a few crashes caused
by this when doing testing over macvlan devices:

[] kernel BUG at net/core/skbuff.c:1970!
[] Call Trace:
[] skb_clone+0x4d/0xb0
[] macvlan_broadcast+0xd8/0x160 [macvlan]
[] macvlan_process_broadcast+0x148/0x150 [macvlan]
[] process_one_work+0x1a7/0x360
[] worker_thread+0x30/0x390

[] kernel BUG at mm/usercopy.c:102!
[] Call Trace:
[] __check_heap_object+0xd3/0x100
[] __check_object_size+0xff/0x16b
[] simple_copy_to_iter+0x1c/0x30
[] __skb_datagram_iter+0x7d/0x310
[] __skb_datagram_iter+0x2a5/0x310
[] skb_copy_datagram_iter+0x3b/0x90
[] tipc_recvmsg+0x14a/0x3a0 [tipc]
[] ____sys_recvmsg+0x91/0x150
[] ___sys_recvmsg+0x7b/0xc0

[] kernel BUG at mm/slub.c:305!
[] Call Trace:
[] <IRQ>
[] kmem_cache_free+0x3ff/0x400
[] __netif_receive_skb_core+0x12c/0xc40
[] ? kmem_cache_alloc+0x12e/0x270
[] netif_receive_skb_internal+0x3d/0xb0
[] ? get_rx_page_info+0x8e/0xa0 [be2net]
[] be_poll+0x6ef/0xd00 [be2net]
[] ? irq_exit+0x4f/0x100
[] net_rx_action+0x149/0x3b0

...

This patch is to fix it by linearizing the head skb if it has frag_list
set in tipc_buf_append(). Note that we choose to do this before calling
skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can
not just drop the frag_list either as the early time.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tipc: skb_linearize el skb principal al volver a ensamblar mensajes No es una buena idea agregar el frag skb a la frag_list de un skb si la frag_list ya tiene skbs de otro lugar, como por ejemplo este skb fue creado por pskb_copy() donde se clonó frag_list (todos los skbs que contenía fueron skb_get'ed) y se compartió con varios skbs. Sin embargo, el nuevo fragmento skb adjunto solo debería haber sido visto por el skb actual. De lo contrario, causará uso después de fallas gratuitas, ya que varios skbs ven este fragmento skb agregado, pero solo se llamó a skb_get una vez. Lo mismo sucede con un skb actualizado por pskb_may_pull() con un skb skb_cloned. Li Shuang ha informado de bastantes fallos causados por esto al realizar pruebas en dispositivos macvlan: [] ¡ERROR del kernel en net/core/skbuff.c:1970! [] Seguimiento de llamadas: [] skb_clone+0x4d/0xb0 [] macvlan_broadcast+0xd8/0x160 [macvlan] [] macvlan_process_broadcast+0x148/0x150 [macvlan] [] Process_one_work+0x1a7/0x360 [] trabajador_thread+0x30/0x390 [] ERROR del kernel en mm/usercopy.c:102! [] Seguimiento de llamadas: [] __check_heap_object+0xd3/0x100 [] __check_object_size+0xff/0x16b [] simple_copy_to_iter+0x1c/0x30 [] __skb_datagram_iter+0x7d/0x310 [] __skb_datagram_iter+0x2a5/0x310 [] skb_copy_datagram _iter+0x3b/0x90 [] tipc_recvmsg +0x14a/0x3a0 [tipc] [] ____sys_recvmsg+0x91/0x150 [] ___sys_recvmsg+0x7b/0xc0 [] ¡ERROR del kernel en mm/slub.c:305! [] Seguimiento de llamadas: [] [] kmem_cache_free+0x3ff/0x400 [] __netif_receive_skb_core+0x12c/0xc40 [] ? kmem_cache_alloc+0x12e/0x270 [] netif_receive_skb_internal+0x3d/0xb0 [] ? get_rx_page_info+0x8e/0xa0 [be2net] [] be_poll+0x6ef/0xd00 [be2net] [] ? irq_exit+0x4f/0x100 [] net_rx_action+0x149/0x3b0 ... Este parche es para solucionarlo linealizando el skb principal si tiene frag_list configurado en tipc_buf_append(). Tenga en cuenta que elegimos hacer esto antes de llamar a skb_unshare(), ya que __skb_linearize() evitará skb_copy(). Además, tampoco podemos simplemente eliminar frag_list desde el principio.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-25 CVE Reserved
2024-03-25 CVE Published
2024-03-26 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/45c8b7b175ceb2d542e0fe15247377bf3bce29ec	Vuln. Introduced
https://git.kernel.org/stable/c/d45ed6c1ff20d3640a31f03816ca2d48fb7d6f22	Vuln. Introduced
https://git.kernel.org/stable/c/c19282fd54a19e4651a4e67836cd842082546677	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b2c8d28c34b3070407cb1741f9ba3f15d0284b8b	2021-06-03
https://git.kernel.org/stable/c/5489f30bb78ff0dafb4229a69632afc2ba20765c	2021-06-03
https://git.kernel.org/stable/c/436d650d374329a591c30339a91fa5078052ed1e	2021-06-03
https://git.kernel.org/stable/c/4b1761898861117c97066aea6c58f68a7787f0bf	2021-06-03
https://git.kernel.org/stable/c/64d17ec9f1ded042c4b188d15734f33486ed9966	2021-06-03
https://git.kernel.org/stable/c/6da24cfc83ba4f97ea44fc7ae9999a006101755c	2021-06-03
https://git.kernel.org/stable/c/ace300eecbccaa698e2b472843c74a5f33f7dce8	2021-06-03
https://git.kernel.org/stable/c/b7df21cf1b79ab7026f545e7bf837bd5750ac026	2021-05-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.3 < 4.4.271 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 4.4.271"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.3 < 4.9.271 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 4.9.271"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.3 < 4.14.235 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 4.14.235"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.3 < 4.19.193 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 4.19.193"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.3 < 5.4.124 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 5.4.124"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.3 < 5.10.42 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 5.10.42"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.3 < 5.12.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 5.12.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.3 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.3 < 5.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.1.14 Search vendor "Linux" for product "Linux Kernel" and version "4.1.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.2.7 Search vendor "Linux" for product "Linux Kernel" and version "4.2.7"		en		Affected