CVE-2021-46936

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-46936

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46936.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-46936

Related

Published

2024-02-27T10:15:08Z

Modified

2024-09-18T03:17:15.742240Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

net: fix use-after-free in twtimerhandler

A real world panic issue was found as follow in Linux 5.4.

BUG: unable to handle page fault for address: ffffde49a863de28
PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
RIP: 0010:tw_timer_handler+0x20/0x40
Call Trace:
 <IRQ>
 call_timer_fn+0x2b/0x120
 run_timer_softirq+0x1ef/0x450
 __do_softirq+0x10d/0x2b8
 irq_exit+0xc7/0xd0
 smp_apic_timer_interrupt+0x68/0x120
 apic_timer_interrupt+0xf/0x20

This issue was also reported since 2017 in the thread [1], unfortunately, the issue was still can be reproduced after fixing DCCP.

The ipv4mibexitnet is called before tcpskexitbatch when a net namespace is destroyed since tcpskops is registered befrore ipv4mibops, which means tcpskops is in the front of ipv4mibops in the list of pernetlist. There will be a use-after-free on net->mib.netstatistics in twtimerhandler after ipv4mibexit_net if there are some inflight time-wait timers.

This bug is not introduced by commit f2bf415cfed7 ("mib: add net to NETADDSTATSBH") since the netstatistics is a global variable instead of dynamic allocation and freeing. Actually, commit 61a7e26028b9 ("mib: put net statistics on struct net") introduces the bug since it put net statistics on struct net and free it when net namespace is destroyed.

Moving initipv4mibs() to the front of tcpinit() to fix this bug and replace prcrit() with panic() since continuing is meaningless when initipv4mibs() fails.

[1] https://groups.google.com/g/syzkaller/c/p1tn-Kc6l4/m/smuLFMAAgAJ?pli=1

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.92-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}