CVE-2021-47363

nexthop: Fix division by zero while replacing a resilient group

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

nexthop: Fix division by zero while replacing a resilient group

The resilient nexthop group torture tests in fib_nexthop.sh exposed a
possible division by zero while replacing a resilient group [1]. The
division by zero occurs when the data path sees a resilient nexthop
group with zero buckets.

The tests replace a resilient nexthop group in a loop while traffic is
forwarded through it. The tests do not specify the number of buckets
while performing the replacement, resulting in the kernel allocating a
stub resilient table (i.e, 'struct nh_res_table') with zero buckets.

This table should never be visible to the data path, but the old nexthop
group (i.e., 'oldg') might still be used by the data path when the stub
table is assigned to it.

Fix this by only assigning the stub table to the old nexthop group after
making sure the group is no longer used by the data path.

Tested with fib_nexthops.sh:

Tests passed: 222
Tests failed: 0

[1]
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
RIP: 0010:nexthop_select_path+0x2d2/0x1a80
[...]
Call Trace:
fib_select_multipath+0x79b/0x1530
fib_select_path+0x8fb/0x1c10
ip_route_output_key_hash_rcu+0x1198/0x2da0
ip_route_output_key_hash+0x190/0x340
ip_route_output_flow+0x21/0x120
raw_sendmsg+0x91d/0x2e10
inet_sendmsg+0x9e/0xe0
__sys_sendto+0x23d/0x360
__x64_sys_sendto+0xe1/0x1b0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nexthop: corrige la división por cero mientras se reemplaza un grupo resistente Las pruebas de tortura del grupo resiliente de nexthop en fib_nexthop.sh expusieron una posible división por cero mientras se reemplaza un grupo resistente [1]. La división por cero ocurre cuando la ruta de datos ve un grupo de nexthop resistente con cero depósitos. Las pruebas reemplazan un grupo nexthop resistente en un bucle mientras el tráfico se reenvía a través de él. Las pruebas no especifican la cantidad de depósitos mientras se realiza el reemplazo, lo que da como resultado que el kernel asigne una tabla resistente a resguardos (es decir, 'struct nh_res_table') con cero depósitos. Esta tabla nunca debería ser visible para la ruta de datos, pero la ruta de datos aún podría usar el antiguo grupo nexthop (es decir, 'oldg') cuando se le asigna la tabla auxiliar. Solucione este problema asignando únicamente la tabla auxiliar al antiguo grupo de nexthop después de asegurarse de que la ruta de datos ya no utilice el grupo. Probado con fib_nexthops.sh: Pruebas aprobadas: 222 Pruebas fallidas: 0 [1] error de división: 0000 [#1] CPU PREEMPT SMP KASAN: 0 PID: 1850 Comunicaciones: ping No contaminado 5.14.0-custom-10271-ga86eb53057fe #1107 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 01/04/2014 RIP: 0010:nexthop_select_path+0x2d2/0x1a80 [...] Seguimiento de llamadas: fib_select_multipath+0x79b/0x1530 fib_select_path +0x8fb/0x1c10 ip_route_output_key_hash_rcu+0x1198/0x2da0 ip_route_output_key_hash+0x190/0x340 ip_route_output_flow+0x21/0x120 raw_sendmsg+0x91d/0x2e10 inet_sendmsg+0x9e/0 xe0 __sys_sendto+0x23d/0x360 __x64_sys_sendto+0xe1/0x1b0 do_syscall_64+0x35/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://git.kernel.org/stable/c/283a72a5599e80750699d2021830a294ed9ab3f3	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/e9d32ec26e7f01d1af13bdc687f586362546aa25	2021-09-30
https://git.kernel.org/stable/c/563f23b002534176f49524b5ca0e1d94d8906c40	2021-09-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.14.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.14.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.15"		en		Affected