CVE-2021-46912

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-46912
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46912.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-46912
Related
Published
2024-02-27T07:15:07Z
Modified
2024-11-21T06:34:55Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: Make tcpallowedcongestion_control readonly in non-init netns

Currently, tcpallowedcongestion_control is global and writable; writing to it in any net namespace will leak into all other net namespaces.

tcpavailablecongestioncontrol and tcpallowedcongestioncontrol are the only sysctls in ipv4nettable (the per-netns sysctl table) with a NULL data pointer; their handlers (proctcpavailablecongestioncontrol and procallowedcongestion_control) have no other way of referencing a struct net. Thus, they operate globally.

Because ipv4nettable does not use designated initializers, there is no easy way to fix up this one "bad" table entry. However, the data pointer updating logic shouldn't be applied to NULL pointers anyway, so we instead force these entries to be read-only.

These sysctls used to exist in ipv4table (init-net only), but they were moved to the per-net ipv4nettable, presumably without realizing that tcpallowedcongestioncontrol was writable and thus introduced a leak.

Because the intent of that commit was only to know (i.e. read) "which congestion algorithms are available or allowed", this read-only solution should be sufficient.

The logic added in recent commit 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls") does not and cannot check for NULL data pointers, because other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have .data=NULL but use other methods (.extra2) to access the struct net.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}