CVE-2021-47592

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-47592

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47592.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-47592

Related

Published

2024-06-19T15:15:53Z

Modified

2024-11-06T16:35:02Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix tc flower deletion for VLAN priority Rx steering

To replicate the issue:-

1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio numtc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlanprio 0 hw_tc 0

2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress

3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151

From dmesg, we will observe kernel NULL pointer ooops

[ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI

<snip>

[ 197.171367] RIP: 0010:tcsetupcls+0x20b/0x4a0 [stmmac]

<snip>

[ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? _stmmacdisableallqueues+0xa8/0xe0 [stmmac] [ 197.171367] stmmacsetuptcblockcb+0x70/0x110 [stmmac] [ 197.171367] tcsetupcbdestroy+0xb3/0x180 [ 197.171367] flhwdestroyfilter+0x94/0xc0 [cls_flower]

The above issue is due to previous incorrect implementation of tcdelvlanflow(), shown below, that uses flowclsoffloadflowrule() to get struct flowrule *rule which is no longer valid for tc filter delete operation.

struct flowrule *rule = flowclsoffloadflowrule(cls); struct flowdissector *dissector = rule->match.dissector;

So, to ensure tcdelvlanflow() deletes the right VLAN cls record for earlier configured RX queue (configured by hwtc) in tcaddvlanflow(), this patch introduces stmmacrfsentry as driver-side flowcls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based.

v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue.

References

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}