发布于3月6日3月6日 Members Ubuntu: (CVE-2021-47402): linux vulnerability Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 05/21/2024 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: sched: flower: protect fl_walk() with rcu Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep. KASAN trace: [352.773640] ================================================================== [352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987 [352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [352.781022] Call Trace: [352.781573]dump_stack_lvl+0x46/0x5a [352.782332]print_address_description.constprop.0+0x1f/0x140 [352.783400]? fl_walk+0x159/0x240 [cls_flower] [352.784292]? fl_walk+0x159/0x240 [cls_flower] [352.785138]kasan_report.cold+0x83/0xdf [352.785851]? fl_walk+0x159/0x240 [cls_flower] [352.786587]kasan_check_range+0x145/0x1a0 [352.787337]fl_walk+0x159/0x240 [cls_flower] [352.788163]? fl_put+0x10/0x10 [cls_flower] [352.789007]? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [352.790102]tcf_chain_dump+0x231/0x450 [352.790878]? tcf_chain_tp_delete_empty+0x170/0x170 [352.791833]? __might_sleep+0x2e/0xc0 [352.792594]? tfilter_notify+0x170/0x170 [352.793400]? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [352.794477]tc_dump_tfilter+0x385/0x4b0 [352.795262]? tc_new_tfilter+0x1180/0x1180 [352.796103]? __mod_node_page_state+0x1f/0xc0 [352.796974]? __build_skb_around+0x10e/0x130 [352.797826]netlink_dump+0x2c0/0x560 [352.798563]? netlink_getsockopt+0x430/0x430 [352.799433]? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [352.800542]__netlink_dump_start+0x356/0x440 [352.801397]rtnetlink_rcv_msg+0x3ff/0x550 [352.802190]? tc_new_tfilter+0x1180/0x1180 [352.802872]? rtnl_calcit.isra.0+0x1f0/0x1f0 [352.803668]? tc_new_tfilter+0x1180/0x1180 [352.804344]? _copy_from_iter_nocache+0x800/0x800 [352.805202]? kasan_set_track+0x1c/0x30 [352.805900]netlink_rcv_skb+0xc6/0x1f0 [352.806587]? rht_deferred_worker+0x6b0/0x6b0 [352.807455]? rtnl_calcit.isra.0+0x1f0/0x1f0 [352.808324]? netlink_ack+0x4d0/0x4d0 [352.809086]? netlink_deliver_tap+0x62/0x3d0 [352.809951]netlink_unicast+0x353/0x480 [352.810744]? netlink_attachskb+0x430/0x430 [352.811586]? __alloc_skb+0xd7/0x200 [352.812349]netlink_sendmsg+0x396/0x680 [352.813132]? netlink_unicast+0x480/0x480 [352.813952]? __import_iovec+0x192/0x210 [352.814759]? netlink_unicast+0x480/0x480 [352.815580]sock_sendmsg+0x6c/0x80 [352.816299]____sys_sendmsg+0x3a5/0x3c0 [352.817096]? kernel_sendmsg+0x30/0x30 [352.817873]? __ia32_sys_recvmmsg+0x150/0x150 [352.818753]___sys_sendmsg+0xd8/0x140 [352.819518]? sendmsg_copy_msghdr+0x110/0x110 [352.820402]? ___sys_recvmsg+0xf4/0x1a0 [352.821110]? __copy_msghdr_from_user+0x260/0x260 [352.821934]? _raw_spin_lock+0x81/0xd0 [352.822680]? __handle_mm_fault+0xef3/0x1b20 [352.823549]? rb_insert_color+0x2a/0x270 [352.824373]? copy_page_range+0x16b0/0x16b0 [352.825209]? perf_event_update_userpage+0x2d0/0x2d0 [352.826190]? __fget_light+0xd9/0xf0 [352.826941]__sys_sendmsg+0xb3/0x130 [352.827613]? __sys_sendmsg_sock+0x20/0x20 [352.828377]? do_user_addr_fault+0x2c5/0x8a0 [352.829184]? fpregs_assert_state_consistent+0x52/0x60 [352.830001]? exit_to_user_mode_prepare+0x32/0x160 [352.830845]do_syscall_64+0x35/0x80 [352.831445]entry_SYSCALL_64_after_hwframe+0x44/0xae [352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated--- Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-4 ubuntu-upgrade-linux-aws-fips ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-5-4 ubuntu-upgrade-linux-azure-fips ubuntu-upgrade-linux-bluefield ubuntu-upgrade-linux-fips ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-5-4 ubuntu-upgrade-linux-gcp-fips ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-hwe-5-4 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-4 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-raspi-5-4 References https://attackerkb.com/topics/cve-2021-47402 CVE - 2021-47402 https://git.kernel.org/linus/d5ef190693a7d76c5c192d108e8dec48307b46ee https://git.kernel.org/stable/c/694b0cee7f8546b69a80996a29cb3cf4149c0453 https://git.kernel.org/stable/c/d0d520c19e7ea19ed38dc5797b12397b6ccf9f88 https://git.kernel.org/stable/c/d5ef190693a7d76c5c192d108e8dec48307b46ee https://git.kernel.org/stable/c/dab4677bdbffa5c8270e79e34e51c89efa0728a0 https://www.cve.org/CVERecord?id=CVE-2021-47402 View more
