CVE-2021-47587
net: systemport: Add global locking for descriptor lifecycle
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
net: systemport: Add global locking for descriptor lifecycle
The descriptor list is a shared resource across all of the transmit queues, and
the locking mechanism used today only protects concurrency across a given
transmit queue between the transmit and reclaiming. This creates an opportunity
for the SYSTEMPORT hardware to work on corrupted descriptors if we have
multiple producers at once which is the case when using multiple transmit
queues.
This was particularly noticeable when using multiple flows/transmit queues and
it showed up in interesting ways in that UDP packets would get a correct UDP
header checksum being calculated over an incorrect packet length. Similarly TCP
packets would get an equally correct checksum computed by the hardware over an
incorrect packet length.
The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges
when the driver produces a new descriptor anytime it writes to the
WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to
re-organize its descriptors and it is possible that concurrent TX queues
eventually break this internal allocation scheme to the point where the
length/status part of the descriptor gets used for an incorrect data buffer.
The fix is to impose a global serialization for all TX queues in the short
section where we are writing to the WRITE_PORT_{HI,LO} registers which solves
the corruption even with multiple concurrent TX queues being used.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: systemport: agregue bloqueo global para el ciclo de vida del descriptor. La lista de descriptores es un recurso compartido entre todas las colas de transmisión y el mecanismo de bloqueo que se usa hoy solo protege la concurrencia en una cola de transmisión determinada. entre la transmisión y la recuperación. Esto crea una oportunidad para que el hardware de SYSTEMPORT funcione con descriptores corruptos si tenemos varios productores a la vez, como es el caso cuando utilizamos varias colas de transmisión. Esto fue particularmente notable cuando se usaban múltiples flujos/colas de transmisión y se mostró de manera interesante en que los paquetes UDP obtendrían una suma de verificación de encabezado UDP correcta al calcularse sobre una longitud de paquete incorrecta. De manera similar, los paquetes TCP obtendrían una suma de verificación igualmente correcta calculada por el hardware en una longitud de paquete incorrecta. El hardware de SYSTEMPORT mantiene una lista de descriptores internos que reorganiza cuando el controlador produce un nuevo descriptor cada vez que escribe en los registros WRITE_PORT_{HI,LO}. Sin embargo, hay cierto retraso en el hardware para reorganizar sus descriptores y es Es posible que las colas de TX simultáneas eventualmente rompan este esquema de asignación interna hasta el punto en que la parte de longitud/estado del descriptor se use para un búfer de datos incorrecto. La solución es imponer una serialización global para todas las colas de TX en la sección corta donde escribimos en los registros WRITE_PORT_{HI,LO}, lo que resuelve la corrupción incluso cuando se utilizan varias colas de TX simultáneas.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-24 CVE Reserved
- 2024-06-19 CVE Published
- 2024-06-20 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/80105befdb4b8cea924711b40b2462b87df65b62 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.16 < 4.4.296 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 4.4.296" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.16 < 4.9.294 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 4.9.294" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.16 < 4.14.259 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 4.14.259" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.16 < 4.19.222 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 4.19.222" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.16 < 5.4.168 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 5.4.168" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.16 < 5.10.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 5.10.88" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.16 < 5.15.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 5.15.11" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.16 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 5.16" | en |
Affected
| ||||||