CVE-2021-47163
tipc: wait and exit until all work queues are done
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
tipc: wait and exit until all work queues are done
On some host, a crash could be triggered simply by repeating these
commands several times:
# modprobe tipc
# tipc bearer enable media udp name UDP1 localip 127.0.0.1
# rmmod tipc
[] BUG: unable to handle kernel paging request at ffffffffc096bb00
[] Workqueue: events 0xffffffffc096bb00
[] Call Trace:
[] ? process_one_work+0x1a7/0x360
[] ? worker_thread+0x30/0x390
[] ? create_worker+0x1a0/0x1a0
[] ? kthread+0x116/0x130
[] ? kthread_flush_work_fn+0x10/0x10
[] ? ret_from_fork+0x35/0x40
When removing the TIPC module, the UDP tunnel sock will be delayed to
release in a work queue as sock_release() can't be done in rtnl_lock().
If the work queue is schedule to run after the TIPC module is removed,
kernel will crash as the work queue function cleanup_beareri() code no
longer exists when trying to invoke it.
To fix it, this patch introduce a member wq_count in tipc_net to track
the numbers of work queues in schedule, and wait and exit until all
work queues are done in tipc_exit_net().
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tipc: espere y salga hasta que todas las colas de trabajo estén terminadas. En algunos hosts, se podría desencadenar un bloqueo simplemente repitiendo estos comandos varias veces: # modprobe tipc # tipc portador habilitar media udp nombre UDP1 localip 127.0.0.1 # rmmod tipc [] ERROR: no se puede manejar la solicitud de paginación del kernel en ffffffffc096bb00 [] Cola de trabajo: eventos 0xffffffffc096bb00 [] Seguimiento de llamadas: []? proceso_one_work+0x1a7/0x360 []? hilo_trabajador+0x30/0x390 []? crear_trabajador+0x1a0/0x1a0 []? kthread+0x116/0x130 []? kthread_flush_work_fn+0x10/0x10 []? ret_from_fork+0x35/0x40 Al retirar el módulo TIPC, el calcetín del túnel UDP se retrasará para liberarse en una cola de trabajo, ya que sock_release() no se puede realizar en rtnl_lock(). Si la cola de trabajo está programada para ejecutarse después de eliminar el módulo TIPC, el kernel fallará porque el código de la función de cola de trabajo cleanup_beareri() ya no existe al intentar invocarlo. Para solucionarlo, este parche introduce un miembro wq_count en tipc_net para rastrear el número de colas de trabajo programadas y esperar y salir hasta que todas las colas de trabajo estén terminadas en tipc_exit_net().
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-25 CVE Reserved
- 2024-03-25 CVE Published
- 2024-03-26 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/d0f91938bede204a343473792529e0db7d599836 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.4.124 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.4.124" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.10.42 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.10.42" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.12.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.12.9" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.1 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.1 < 5.13" | en |
Affected
| ||||||