CVE-2021-47363

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47363
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47363.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47363
Related
Published
2024-05-21T15:15:22Z
Modified
2024-09-18T01:00:21Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

nexthop: Fix division by zero while replacing a resilient group

The resilient nexthop group torture tests in fib_nexthop.sh exposed a possible division by zero while replacing a resilient group [1]. The division by zero occurs when the data path sees a resilient nexthop group with zero buckets.

The tests replace a resilient nexthop group in a loop while traffic is forwarded through it. The tests do not specify the number of buckets while performing the replacement, resulting in the kernel allocating a stub resilient table (i.e, 'struct nhrestable') with zero buckets.

This table should never be visible to the data path, but the old nexthop group (i.e., 'oldg') might still be used by the data path when the stub table is assigned to it.

Fix this by only assigning the stub table to the old nexthop group after making sure the group is no longer used by the data path.

Tested with fib_nexthops.sh:

Tests passed: 222 Tests failed: 0

[1] divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:nexthopselectpath+0x2d2/0x1a80 [...] Call Trace: fibselectmultipath+0x79b/0x1530 fibselectpath+0x8fb/0x1c10 iprouteoutputkeyhashrcu+0x1198/0x2da0 iprouteoutputkeyhash+0x190/0x340 iprouteoutputflow+0x21/0x120 rawsendmsg+0x91d/0x2e10 inetsendmsg+0x9e/0xe0 _syssendto+0x23d/0x360 _x64syssendto+0xe1/0x1b0 dosyscall64+0x35/0x80 entrySYSCALL64after_hwframe+0x44/0xae

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}