发布于3月6日3月6日 Members Debian: CVE-2021-47402: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 05/21/2024 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: sched: flower: protect fl_walk() with rcu Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep. KASAN trace: [352.773640] ================================================================== [352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987 [352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [352.781022] Call Trace: [352.781573]dump_stack_lvl+0x46/0x5a [352.782332]print_address_description.constprop.0+0x1f/0x140 [352.783400]? fl_walk+0x159/0x240 [cls_flower] [352.784292]? fl_walk+0x159/0x240 [cls_flower] [352.785138]kasan_report.cold+0x83/0xdf [352.785851]? fl_walk+0x159/0x240 [cls_flower] [352.786587]kasan_check_range+0x145/0x1a0 [352.787337]fl_walk+0x159/0x240 [cls_flower] [352.788163]? fl_put+0x10/0x10 [cls_flower] [352.789007]? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [352.790102]tcf_chain_dump+0x231/0x450 [352.790878]? tcf_chain_tp_delete_empty+0x170/0x170 [352.791833]? __might_sleep+0x2e/0xc0 [352.792594]? tfilter_notify+0x170/0x170 [352.793400]? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [352.794477]tc_dump_tfilter+0x385/0x4b0 [352.795262]? tc_new_tfilter+0x1180/0x1180 [352.796103]? __mod_node_page_state+0x1f/0xc0 [352.796974]? __build_skb_around+0x10e/0x130 [352.797826]netlink_dump+0x2c0/0x560 [352.798563]? netlink_getsockopt+0x430/0x430 [352.799433]? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [352.800542]__netlink_dump_start+0x356/0x440 [352.801397]rtnetlink_rcv_msg+0x3ff/0x550 [352.802190]? tc_new_tfilter+0x1180/0x1180 [352.802872]? rtnl_calcit.isra.0+0x1f0/0x1f0 [352.803668]? tc_new_tfilter+0x1180/0x1180 [352.804344]? _copy_from_iter_nocache+0x800/0x800 [352.805202]? kasan_set_track+0x1c/0x30 [352.805900]netlink_rcv_skb+0xc6/0x1f0 [352.806587]? rht_deferred_worker+0x6b0/0x6b0 [352.807455]? rtnl_calcit.isra.0+0x1f0/0x1f0 [352.808324]? netlink_ack+0x4d0/0x4d0 [352.809086]? netlink_deliver_tap+0x62/0x3d0 [352.809951]netlink_unicast+0x353/0x480 [352.810744]? netlink_attachskb+0x430/0x430 [352.811586]? __alloc_skb+0xd7/0x200 [352.812349]netlink_sendmsg+0x396/0x680 [352.813132]? netlink_unicast+0x480/0x480 [352.813952]? __import_iovec+0x192/0x210 [352.814759]? netlink_unicast+0x480/0x480 [352.815580]sock_sendmsg+0x6c/0x80 [352.816299]____sys_sendmsg+0x3a5/0x3c0 [352.817096]? kernel_sendmsg+0x30/0x30 [352.817873]? __ia32_sys_recvmmsg+0x150/0x150 [352.818753]___sys_sendmsg+0xd8/0x140 [352.819518]? sendmsg_copy_msghdr+0x110/0x110 [352.820402]? ___sys_recvmsg+0xf4/0x1a0 [352.821110]? __copy_msghdr_from_user+0x260/0x260 [352.821934]? _raw_spin_lock+0x81/0xd0 [352.822680]? __handle_mm_fault+0xef3/0x1b20 [352.823549]? rb_insert_color+0x2a/0x270 [352.824373]? copy_page_range+0x16b0/0x16b0 [352.825209]? perf_event_update_userpage+0x2d0/0x2d0 [352.826190]? __fget_light+0xd9/0xf0 [352.826941]__sys_sendmsg+0xb3/0x130 [352.827613]? __sys_sendmsg_sock+0x20/0x20 [352.828377]? do_user_addr_fault+0x2c5/0x8a0 [352.829184]? fpregs_assert_state_consistent+0x52/0x60 [352.830001]? exit_to_user_mode_prepare+0x32/0x160 [352.830845]do_syscall_64+0x35/0x80 [352.831445]entry_SYSCALL_64_after_hwframe+0x44/0xae [352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated--- Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2021-47402 CVE - 2021-47402
