CVE-2021-47517

ethtool: do not perform operations on net devices being unregistered

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ethtool: do not perform operations on net devices being unregistered

There is a short period between a net device starts to be unregistered
and when it is actually gone. In that time frame ethtool operations
could still be performed, which might end up in unwanted or undefined
behaviours[1].

Do not allow ethtool operations after a net device starts its
unregistration. This patch targets the netlink part as the ioctl one
isn't affected: the reference to the net device is taken and the
operation is executed within an rtnl lock section and the net device
won't be found after unregister.

[1] For example adding Tx queues after unregister ends up in NULL
pointer exceptions and UaFs, such as:

BUG: KASAN: use-after-free in kobject_get+0x14/0x90
Read of size 1 at addr ffff88801961248c by task ethtool/755

CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014
Call Trace:
dump_stack_lvl+0x57/0x72
print_address_description.constprop.0+0x1f/0x140
kasan_report.cold+0x7f/0x11b
kobject_get+0x14/0x90
kobject_add_internal+0x3d1/0x450
kobject_init_and_add+0xba/0xf0
netdev_queue_update_kobjects+0xcf/0x200
netif_set_real_num_tx_queues+0xb4/0x310
veth_set_channels+0x1c3/0x550
ethnl_set_channels+0x524/0x610

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ethtool: no realiza operaciones en dispositivos de red que se están dando de baja. Hay un breve período entre que un dispositivo de red comienza a darse de baja y cuando realmente desaparece. En ese período aún se podrían realizar operaciones de ethtool, lo que podría terminar en comportamientos no deseados o indefinidos[1]. No permita operaciones de ethtool después de que un dispositivo de red inicie su cancelación del registro. Este parche apunta a la parte netlink ya que la parte ioctl no se ve afectada: se toma la referencia al dispositivo de red y la operación se ejecuta dentro de una sección de bloqueo rtnl y el dispositivo de red no se encontrará después de cancelar el registro. [1] Por ejemplo, agregar colas de Tx después de cancelar el registro termina en excepciones de puntero NULL y UaF, como: ERROR: KASAN: use-after-free en kobject_get+0x14/0x90 Lectura de tamaño 1 en la dirección ffff88801961248c mediante la tarea ethtool/755 CPU : 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778 Nombre de hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014 Seguimiento de llamadas: dump_stack_lvl+0x57/0x72 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x7f/0x11b kobject_get+0x14/0x90 kobject_add_internal+0x3d1/0x450 kobject_init_and_add+0xba/0xf0 netdev_queue_update_kobjects+0xcf/0x200 netif_set_real_num_tx_queues+0xb4/0x310 veth_set_channels+0x1c3/0x550 ethnl_set_channels+0x524/ 0x610

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-24 CVE Reserved
2024-05-24 CVE Published
2024-05-25 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/041b1c5d4a53e97fc9e029ae32469552ca12cb9b	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/7c26da3be1e9843a15b5318f90db8a564479d2ac	2021-12-17
https://git.kernel.org/stable/c/cfd719f04267108f5f5bf802b9d7de69e99a99f9	2021-12-14
https://git.kernel.org/stable/c/dde91ccfa25fd58f64c397d91b81a4b393100ffa	2021-12-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.10.87 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.10.87"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.15.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.15.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.16"		en		Affected