CVE-2021-47394

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-47394

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47394.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-47394

Related

Published

2024-05-21T15:15:24Z

Modified

2024-09-18T01:00:22Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: unlink table before deleting it

syzbot reports following UAF: BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955 nlastrcmp+0xf2/0x130 lib/nlattr.c:836 nfttablelookup.part.0+0x1a2/0x460 net/netfilter/nftablesapi.c:570 nfttablelookup net/netfilter/nftablesapi.c:4064 [inline] nftablesgetset+0x1b3/0x860 net/netfilter/nftablesapi.c:4064 nfnetlinkrcvmsg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlinkrcvskb+0x153/0x420 net/netlink/afnetlink.c:2504

Problem is that all get operations are lockless, so the commitmutex held by nftrcvnlevent() isn't enough to stop a parallel GET request from doing read-accesses to the table object even after synchronize_rcu().

To avoid this, unlink the table first and store the table objects in on-stack scratch space.

References

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}