CVE-2021-47396

mac80211-hwsim: fix late beacon hrtimer handling

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

mac80211-hwsim: fix late beacon hrtimer handling

Thomas explained in https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx
that our handling of the hrtimer here is wrong: If the timer fires
late (e.g. due to vCPU scheduling, as reported by Dmitry/syzbot)
then it tries to actually rearm the timer at the next deadline,
which might be in the past already:

1 2 3 N N+1
| | | ... | |

^ intended to fire here (1)
^ next deadline here (2)
^ actually fired here

The next time it fires, it's later, but will still try to schedule
for the next deadline (now 3), etc. until it catches up with N,
but that might take a long time, causing stalls etc.

Now, all of this is simulation, so we just have to fix it, but
note that the behaviour is wrong even per spec, since there's no
value then in sending all those beacons unaligned - they should be
aligned to the TBTT (1, 2, 3, ... in the picture), and if we're a
bit (or a lot) late, then just resume at that point.

Therefore, change the code to use hrtimer_forward_now() which will
ensure that the next firing of the timer would be at N+1 (in the
picture), i.e. the next interval point after the current time.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mac80211-hwsim: corrige el manejo tardío del hrtimer de baliza. Thomas explicó en https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx que nuestro manejo del hrtimer aquí es incorrecto : Si el temporizador se activa tarde (por ejemplo, debido a la programación de vCPU, según lo informado por Dmitry/syzbot), entonces intenta rearmar el temporizador en la próxima fecha límite, que podría haber sido ya en el pasado: 1 2 3 N N+1 | | | ... | | ^ intención de disparar aquí (1) ^ próxima fecha límite aquí (2) ^ realmente disparado aquí La próxima vez que se active, será más tarde, pero aún así intentará programar la próxima fecha límite (ahora 3), etc. hasta que se ponga al día N, pero eso podría llevar mucho tiempo, causando bloqueos, etc. Ahora, todo esto es simulación, así que solo tenemos que arreglarlo, pero tenga en cuenta que el comportamiento es incorrecto incluso según la especificación, ya que no tiene ningún valor enviar todos esos balizas no alineadas: deben estar alineadas con el TBTT (1, 2, 3, ... en la imagen), y si llegamos un poco (o mucho) tarde, simplemente reanudemos en ese punto. Por lo tanto, cambie el código para usar hrtimer_forward_now(), lo que garantizará que el siguiente disparo del temporizador sea en N+1 (en la imagen), es decir, el siguiente punto del intervalo después de la hora actual.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/01e59e467ecf976c782eecd4dc99644802cc60e2	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/9bee85de2c8155388c09a2e1530a243ec1c96f05	2021-10-06
https://git.kernel.org/stable/c/2c204cf594df3b9468368dc9d0b24d482d93cda7	2021-10-06
https://git.kernel.org/stable/c/ed2adf69e29848d1eb9df99633dde655421c92ed	2021-10-07
https://git.kernel.org/stable/c/313bbd1990b6ddfdaa7da098d0c56b098a833572	2021-09-23

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.4.151 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.4.151"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.10.71 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.10.71"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.14.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.14.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.9 < 5.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.9 < 5.15"		en		Affected