| The Linux kernel vulnerability, CVE-2021-46912, occurs because the `tcp_allowed_congestion_control` sysctl is global and writable. This allows writing to it in any net namespace to leak into all other net namespaces. The issue arises from the fact that `tcp_available_congestion_control` and `tcp_allowed_congestion_control` are the only sysctls in the `ipv4_net_table` (the per-netns sysctl table) with a NULL data pointer. |
| |
| The handlers for these sysctls, `proc_tcp_available_congestion_control` and `proc_allowed_congestion_control`, operate globally because they have no other way of referencing a `struct net`. This is due to the fact that `ipv4_net_table` does not use designated initializers, making it difficult to fix this specific table entry. |
| |
| The solution implemented is to make these sysctls read-only by forcing the entries to be read-only. This should be sufficient since the intent of the original commit was only to know (i.e., read) which congestion algorithms are available or allowed. |
| |
| This vulnerability was introduced in kernel version 5.7 with commit 9cb8e048e5d9 and has been fixed in versions 5.10.32, 5.11.16, and 5.12 with commits 35d7491e2f77, 1ccdf1bed140, and 97684f0970f6, respectively. The affected file is `net/ipv4/sysctl_net_ipv4.c`. |
| |
