CVE-2021-47546
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-47546
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47546.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-47546
- Related
- Published
- 2024-05-24T15:15:19Z
- Modified
- 2024-09-11T04:41:13.901326Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix memory leak in fib6rulesuppress
The kernel leaks memory when a
fibrule is present in IPv6 nftables firewall rules and a suppress_prefix rule is present in the IPv6 routing rules (used by certain tools such as wg-quick). In such scenarios, every incoming packet will leak an allocation inip6_dst_cacheslab cache.After some hours of
bpftrace-ing and source code reading, I tracked down the issue to ca7a03c41753 ("ipv6: do not free rt if FIBLOOKUPNOREF is set on suppress rule").The problem with that change is that the generic
args->flagsalways haveFIB_LOOKUP_NOREFset1 but the IPv6-specific flagRT6_LOOKUP_F_DST_NOREFmight not be, leading tofib6_rule_suppressnot decreasing the refcount when needed.How to reproduce: - Add the following nftables rule to a prerouting chain: meta nfproto ipv6 fib saddr . mark . iif oif missing drop This can be done with: sudo nft create table inet test sudo nft create chain inet test testchain '{ type filter hook prerouting priority filter + 10; policy accept; }' sudo nft add rule inet test testchain meta nfproto ipv6 fib saddr . mark . iif oif missing drop - Run: sudo ip -6 rule add table main suppress_prefixlength 0 - Watch
sudo slabtop -o | grep ip6_dst_cacheto see memory usage increase with every incoming ipv6 packet.This patch exposes the protocol-specific flags to the protocol specific
suppressfunction, and check the protocol-specificflagsargument for RT6LOOKUPFDSTNOREF instead of the generic FIBLOOKUPNOREF when decreasing the refcount, like this. - References
-
- https://git.kernel.org/stable/c/209d35ee34e25f9668c404350a1c86d914c54ffa
- https://git.kernel.org/stable/c/8ef8a76a340ebdb2c2eea3f6fb0ebbed09a16383
- https://git.kernel.org/stable/c/cdef485217d30382f3bf6448c54b4401648fe3f1
- https://git.kernel.org/stable/c/ee38eb8cf9a7323884c2b8e0adbbeb2192d31e29
- https://security-tracker.debian.org/tracker/CVE-2021-47546
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source