cve/published/2021/CVE-2021-46913.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46913: netfilter: nftables: clone set element expression template

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nftables: clone set element expression template

 memcpy() breaks when using connlimit in set elements. Use
 nft_expr_clone() to initialize the connlimit expression list, otherwise
 connlimit garbage collector crashes when walking on the list head copy.

 [  493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
 [  493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]
 [  493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83
 [  493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297
 [  493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000
 [  493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0
 [  493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c
 [  493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001
 [  493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000
 [  493.064721] FS:  0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000
 [  493.064725] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [  493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0
 [  493.064733] Call Trace:
 [  493.064737]  nf_conncount_gc_list+0x8f/0x150 [nf_conncount]
 [  493.064746]  nft_rhash_gc+0x106/0x390 [nf_tables]

 The Linux kernel CVE team has assigned CVE-2021-46913 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.7 with commit 4094445229760d0d31a4190dfe88fe815c9fc34e and fixed in 5.10.64 with commit e51ff3ffc316377cca21de8b80404eed0c37b3c3
 	Issue introduced in 5.7 with commit 4094445229760d0d31a4190dfe88fe815c9fc34e and fixed in 5.11.16 with commit 47d8de3c226574a3ddb8b87d0c152028d1bafef4
 	Issue introduced in 5.7 with commit 4094445229760d0d31a4190dfe88fe815c9fc34e and fixed in 5.12 with commit 4d8f9065830e526c83199186c5f56a6514f457d2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46913
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/nf_tables_api.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e51ff3ffc316377cca21de8b80404eed0c37b3c3
 	https://git.kernel.org/stable/c/47d8de3c226574a3ddb8b87d0c152028d1bafef4
 	https://git.kernel.org/stable/c/4d8f9065830e526c83199186c5f56a6514f457d2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46913: netfilter: nftables: clone set element expression template

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nftables: clone set element expression template

	memcpy() breaks when using connlimit in set elements. Use
	nft_expr_clone() to initialize the connlimit expression list, otherwise
	connlimit garbage collector crashes when walking on the list head copy.

	[ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
	[ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]
	[ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83
	[ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297
	[ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000
	[ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0
	[ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c
	[ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001
	[ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000
	[ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000
	[ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0
	[ 493.064733] Call Trace:
	[ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount]
	[ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables]

	The Linux kernel CVE team has assigned CVE-2021-46913 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.7 with commit 4094445229760d0d31a4190dfe88fe815c9fc34e and fixed in 5.10.64 with commit e51ff3ffc316377cca21de8b80404eed0c37b3c3
	Issue introduced in 5.7 with commit 4094445229760d0d31a4190dfe88fe815c9fc34e and fixed in 5.11.16 with commit 47d8de3c226574a3ddb8b87d0c152028d1bafef4
	Issue introduced in 5.7 with commit 4094445229760d0d31a4190dfe88fe815c9fc34e and fixed in 5.12 with commit 4d8f9065830e526c83199186c5f56a6514f457d2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46913
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/nf_tables_api.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e51ff3ffc316377cca21de8b80404eed0c37b3c3
	https://git.kernel.org/stable/c/47d8de3c226574a3ddb8b87d0c152028d1bafef4
	https://git.kernel.org/stable/c/4d8f9065830e526c83199186c5f56a6514f457d2