CVE-2021-46936

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-46936
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46936.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-46936
Related
Published
2024-02-27T10:15:08Z
Modified
2024-09-11T04:51:10.869115Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: fix use-after-free in twtimerhandler

A real world panic issue was found as follow in Linux 5.4.

BUG: unable to handle page fault for address: ffffde49a863de28
PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
RIP: 0010:tw_timer_handler+0x20/0x40
Call Trace:
 <IRQ>
 call_timer_fn+0x2b/0x120
 run_timer_softirq+0x1ef/0x450
 __do_softirq+0x10d/0x2b8
 irq_exit+0xc7/0xd0
 smp_apic_timer_interrupt+0x68/0x120
 apic_timer_interrupt+0xf/0x20

This issue was also reported since 2017 in the thread [1], unfortunately, the issue was still can be reproduced after fixing DCCP.

The ipv4mibexitnet is called before tcpskexitbatch when a net namespace is destroyed since tcpskops is registered befrore ipv4mibops, which means tcpskops is in the front of ipv4mibops in the list of pernetlist. There will be a use-after-free on net->mib.netstatistics in twtimerhandler after ipv4mibexit_net if there are some inflight time-wait timers.

This bug is not introduced by commit f2bf415cfed7 ("mib: add net to NETADDSTATSBH") since the netstatistics is a global variable instead of dynamic allocation and freeing. Actually, commit 61a7e26028b9 ("mib: put net statistics on struct net") introduces the bug since it put net statistics on struct net and free it when net namespace is destroyed.

Moving initipv4mibs() to the front of tcpinit() to fix this bug and replace prcrit() with panic() since continuing is meaningless when initipv4mibs() fails.

[1] https://groups.google.com/g/syzkaller/c/p1tn-Kc6l4/m/smuLFMAAgAJ?pli=1

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.92-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}