CVE-2021-47304

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47304
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47304.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47304
Related
Published
2024-05-21T15:15:18Z
Modified
2024-09-11T04:41:07.325270Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

tcp: fix tcpinittransfer() to not reset icskcainitialized

This commit fixes a bug (found by syzkaller) that could cause spurious double-initializations for congestion control modules, which could cause memory leaks or other problems for congestion control modules (like CDG) that allocate memory in their init functions.

The buggy scenario constructed by syzkaller was something like:

(1) create a TCP socket (2) initiate a TFO connect via sendto() (3) while socket is in TCPSYNSENT, call setsockopt(TCPCONGESTION), which calls: tcpsetcongestioncontrol() -> tcpreinitcongestioncontrol() -> tcpinitcongestioncontrol() (4) receive ACK, connection is established, call tcpinittransfer(), set icskcainitialized=0 (without first calling cc->release()), call tcpinitcongestion_control() again.

Note that in this sequence tcpinitcongestion_control() is called twice without a cc->release() call in between. Thus, for CC modules that allocate memory in their init() function, e.g, CDG, a memory leak may occur. The syzkaller tool managed to find a reproducer that triggered such a leak in CDG.

The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") introduced icskcainitialized and set icskcainitialized to 0 in tcpinittransfer(), missing the possibility for a sequence like the one above, where a process could call setsockopt(TCPCONGESTION) in state TCPSYNSENT (i.e. after the connect() or TFO open sendmsg()), which would call tcpinitcongestioncontrol(). It did not intend to reset any initialization that the user had already explicitly made; it just missed the possibility of that particular sequence (which syzkaller managed to find).

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.70-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}