CVE-2021-47394

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47394
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47394.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47394
Related
Published
2024-05-21T15:15:24Z
Modified
2024-09-11T02:00:05Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: unlink table before deleting it

syzbot reports following UAF: BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955 nlastrcmp+0xf2/0x130 lib/nlattr.c:836 nfttablelookup.part.0+0x1a2/0x460 net/netfilter/nftablesapi.c:570 nfttablelookup net/netfilter/nftablesapi.c:4064 [inline] nftablesgetset+0x1b3/0x860 net/netfilter/nftablesapi.c:4064 nfnetlinkrcvmsg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlinkrcvskb+0x153/0x420 net/netlink/afnetlink.c:2504

Problem is that all get operations are lockless, so the commitmutex held by nftrcvnlevent() isn't enough to stop a parallel GET request from doing read-accesses to the table object even after synchronize_rcu().

To avoid this, unlink the table first and store the table objects in on-stack scratch space.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}