CVE-2021-47592

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47592
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47592.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47592
Related
Published
2024-06-19T15:15:53Z
Modified
2024-11-06T16:35:02Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix tc flower deletion for VLAN priority Rx steering

To replicate the issue:-

1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio numtc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlanprio 0 hw_tc 0

2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress

3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151

From dmesg, we will observe kernel NULL pointer ooops

[ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI

<snip>

[ 197.171367] RIP: 0010:tcsetupcls+0x20b/0x4a0 [stmmac]

<snip>

[ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? _stmmacdisableallqueues+0xa8/0xe0 [stmmac] [ 197.171367] stmmacsetuptcblockcb+0x70/0x110 [stmmac] [ 197.171367] tcsetupcbdestroy+0xb3/0x180 [ 197.171367] flhwdestroyfilter+0x94/0xc0 [cls_flower]

The above issue is due to previous incorrect implementation of tcdelvlanflow(), shown below, that uses flowclsoffloadflowrule() to get struct flowrule *rule which is no longer valid for tc filter delete operation.

struct flowrule *rule = flowclsoffloadflowrule(cls); struct flowdissector *dissector = rule->match.dissector;

So, to ensure tcdelvlanflow() deletes the right VLAN cls record for earlier configured RX queue (configured by hwtc) in tcaddvlanflow(), this patch introduces stmmacrfsentry as driver-side flowcls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based.

v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}