CVE-2021-47544

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-47544

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47544.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-47544

Related

Published

2024-05-24T15:15:18Z

Modified

2024-09-18T03:18:53.035808Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

tcp: fix page frag corruption on page fault

Steffen reported a TCP stream corruption for HTTP requests served by the apache web-server using a cifs mount-point and memory mapping the relevant file.

The root cause is quite similar to the one addressed by commit 20eb4f29b602 ("net: fix skpagefrag() recursion from memory reclaim"). Here the nested access to the task page frag is caused by a page fault on the (mmapped) user-space memory buffer coming from the cifs file.

The page fault handler performs an smb transaction on a different socket, inside the same process context. Since sk->skallaction for such socket does not prevent the usage for the taskfrag, the nested allocation modify "under the hood" the page frag in use by the outer sendmsg call, corrupting the stream.

The overall relevant stack trace looks like the following:

httpd 78268 [001] 3461630.850950: probe:tcpsendmsglocked: ffffffff91461d91 tcpsendmsglocked+0x1 ffffffff91462b57 tcpsendmsg+0x27 ffffffff9139814e socksendmsg+0x3e ffffffffc06dfe1d smbsendkvec+0x28 [...] ffffffffc06cfaf8 cifsreadpages+0x213 ffffffff90e83c4b readpages+0x6b ffffffff90e83f31 _dopagecachereadahead+0x1c1 ffffffff90e79e98 filemapfault+0x788 ffffffff90eb0458 _dofault+0x38 ffffffff90eb5280 dofault+0x1a0 ffffffff90eb7c84 _handlemmfault+0x4d4 ffffffff90eb8093 handlemmfault+0xc3 ffffffff90c74f6d _dopagefault+0x1ed ffffffff90c75277 dopagefault+0x37 ffffffff9160111e pagefault+0x1e ffffffff9109e7b5 copyin+0x25 ffffffff9109eb40 _copyfromiterfull+0xe0 ffffffff91462370 tcpsendmsglocked+0x5e0 ffffffff91462370 tcpsendmsglocked+0x5e0 ffffffff91462b57 tcpsendmsg+0x27 ffffffff9139815c socksendmsg+0x4c ffffffff913981f7 sockwriteiter+0x97 ffffffff90f2cc56 doiterreadvwritev+0x156 ffffffff90f2dff0 doiterwrite+0x80 ffffffff90f2e1c3 vfswritev+0xa3 ffffffff90f2e27c dowritev+0x5c ffffffff90c042bb dosyscall64+0x5b ffffffff916000ad entrySYSCALL64after_hwframe+0x65

The cifs filesystem rightfully sets skallocations to GFPNOFS, we can avoid the nesting using the sk page frag for allocation lacking the _GFPFS flag. Do not define an additional mm-helper for that, as this is strictly tied to the sk page frag usage.

v1 -> v2: - use a stricted skpagefrag() check instead of reordering the code (Eric)

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.84-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}