CVE-2021-47099

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47099
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47099.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47099
Related
Published
2024-03-04T18:15:08Z
Modified
2024-10-31T15:35:02Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

veth: ensure skb entering GRO are not cloned.

After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"), if GRO is enabled on a veth device and TSO is disabled on the peer device, TCP skbs will go through the NAPI callback. If there is no XDP program attached, the veth code does not perform any share check, and shared/cloned skbs could enter the GRO engine.

Ignat reported a BUG triggered later-on due to the above condition:

[ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574! [ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25 [ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 [ 53.982634][ C1] RIP: 0010:skbshift+0x13ef/0x23b0 [ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f 85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89 f7 4c 89 8c [ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246 [ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000 [ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2 [ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0 [ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590 [ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0 [ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000 [ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0 [ 53.982634][ C1] Call Trace: [ 53.982634][ C1] <TASK> [ 53.982634][ C1] tcpsacktagwalk+0xaba/0x18e0 [ 53.982634][ C1] tcpsacktagwritequeue+0xe7b/0x3460 [ 53.982634][ C1] tcpack+0x2666/0x54b0 [ 53.982634][ C1] tcprcvestablished+0x4d9/0x20f0 [ 53.982634][ C1] tcpv4dorcv+0x551/0x810 [ 53.982634][ C1] tcpv4rcv+0x22ed/0x2ed0 [ 53.982634][ C1] ipprotocoldeliverrcu+0x96/0xaf0 [ 53.982634][ C1] iplocaldeliverfinish+0x1e0/0x2f0 [ 53.982634][ C1] ipsublistrcvfinish+0x211/0x440 [ 53.982634][ C1] iplistrcvfinish.constprop.0+0x424/0x660 [ 53.982634][ C1] iplistrcv+0x2c8/0x410 [ 53.982634][ C1] _netifreceiveskblistcore+0x65c/0x910 [ 53.982634][ C1] netifreceiveskblistinternal+0x5f9/0xcb0 [ 53.982634][ C1] napicompletedone+0x188/0x6e0 [ 53.982634][ C1] grocellpoll+0x10c/0x1d0 [ 53.982634][ C1] _napipoll+0xa1/0x530 [ 53.982634][ C1] netrxaction+0x567/0x1270 [ 53.982634][ C1] _dosoftirq+0x28a/0x9ba [ 53.982634][ C1] runksoftirqd+0x32/0x60 [ 53.982634][ C1] smpbootthreadfn+0x559/0x8c0 [ 53.982634][ C1] kthread+0x3b9/0x490 [ 53.982634][ C1] retfromfork+0x22/0x30 [ 53.982634][ C1] </TASK>

Address the issue by skipping the GRO stage for shared or cloned skbs. To reduce the chance of OoO, try to unclone the skbs before giving up.

v1 -> v2: - use avoid skbcopy and fallback to netifreceive_skb - Eric

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}