cve/published/2021/CVE-2021-47146.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47146: mld: fix panic in mld_newpack()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mld: fix panic in mld_newpack()

 mld_newpack() doesn't allow to allocate high order page,
 only order-0 allocation is allowed.
 If headroom size is too large, a kernel panic could occur in skb_put().

 Test commands:
     ip netns del A
     ip netns del B
     ip netns add A
     ip netns add B
     ip link add veth0 type veth peer name veth1
     ip link set veth0 netns A
     ip link set veth1 netns B

     ip netns exec A ip link set lo up
     ip netns exec A ip link set veth0 up
     ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0
     ip netns exec B ip link set lo up
     ip netns exec B ip link set veth1 up
     ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1
     for i in {1..99}
     do
         let A=$i-1
         ip netns exec A ip link add ip6gre$i type ip6gre \
 	local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100
         ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i
         ip netns exec A ip link set ip6gre$i up

         ip netns exec B ip link add ip6gre$i type ip6gre \
 	local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100
         ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i
         ip netns exec B ip link set ip6gre$i up
     done

 Splat looks like:
 kernel BUG at net/core/skbuff.c:110!
 invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
 CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891
 Workqueue: ipv6_addrconf addrconf_dad_work
 RIP: 0010:skb_panic+0x15d/0x15f
 Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83
 41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89
 34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20
 RSP: 0018:ffff88810091f820 EFLAGS: 00010282
 RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000
 RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb
 RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031
 R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028
 R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0
 FS:  0000000000000000(0000) GS:ffff888117c00000(0000)
 knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
  ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
  skb_put.cold.104+0x22/0x22
  ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
  ? rcu_read_lock_sched_held+0x91/0xc0
  mld_newpack+0x398/0x8f0
  ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600
  ? lock_contended+0xc40/0xc40
  add_grhead.isra.33+0x280/0x380
  add_grec+0x5ca/0xff0
  ? mld_sendpack+0xf40/0xf40
  ? lock_downgrade+0x690/0x690
  mld_send_initial_cr.part.34+0xb9/0x180
  ipv6_mc_dad_complete+0x15d/0x1b0
  addrconf_dad_completed+0x8d2/0xbb0
  ? lock_downgrade+0x690/0x690
  ? addrconf_rs_timer+0x660/0x660
  ? addrconf_dad_work+0x73c/0x10e0
  addrconf_dad_work+0x73c/0x10e0

 Allowing high order page allocation could fix this problem.

 The Linux kernel CVE team has assigned CVE-2021-47146 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 4.4.271 with commit 0e35b7457b7b6e73ffeaaca1a577fdf1af0feca1
 	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 4.9.271 with commit 17728616a4c85baf0edc975c60ba4e4157684d9a
 	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 4.14.235 with commit 221142038f36d9f28b64e83e954774da4d4ccd17
 	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 4.19.193 with commit 4b77ad9097067b31237eeeee0bf70f80849680a0
 	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 5.4.124 with commit 37d697759958d111439080bab7e14d2b0e7b39f5
 	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 5.10.42 with commit beb39adb150f8f3b516ddf7c39835a9788704d23
 	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 5.12.9 with commit a76fb9ba545289379acf409653ad5f74417be59c
 	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 5.13 with commit 020ef930b826d21c5446fdc9db80fd72a791bc21

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47146
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/mcast.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0e35b7457b7b6e73ffeaaca1a577fdf1af0feca1
 	https://git.kernel.org/stable/c/17728616a4c85baf0edc975c60ba4e4157684d9a
 	https://git.kernel.org/stable/c/221142038f36d9f28b64e83e954774da4d4ccd17
 	https://git.kernel.org/stable/c/4b77ad9097067b31237eeeee0bf70f80849680a0
 	https://git.kernel.org/stable/c/37d697759958d111439080bab7e14d2b0e7b39f5
 	https://git.kernel.org/stable/c/beb39adb150f8f3b516ddf7c39835a9788704d23
 	https://git.kernel.org/stable/c/a76fb9ba545289379acf409653ad5f74417be59c
 	https://git.kernel.org/stable/c/020ef930b826d21c5446fdc9db80fd72a791bc21
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47146: mld: fix panic in mld_newpack()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mld: fix panic in mld_newpack()

	mld_newpack() doesn't allow to allocate high order page,
	only order-0 allocation is allowed.
	If headroom size is too large, a kernel panic could occur in skb_put().

	Test commands:
	ip netns del A
	ip netns del B
	ip netns add A
	ip netns add B
	ip link add veth0 type veth peer name veth1
	ip link set veth0 netns A
	ip link set veth1 netns B

	ip netns exec A ip link set lo up
	ip netns exec A ip link set veth0 up
	ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0
	ip netns exec B ip link set lo up
	ip netns exec B ip link set veth1 up
	ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1
	for i in {1..99}
	do
	let A=$i-1
	ip netns exec A ip link add ip6gre$i type ip6gre \
	local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100
	ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i
	ip netns exec A ip link set ip6gre$i up

	ip netns exec B ip link add ip6gre$i type ip6gre \
	local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100
	ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i
	ip netns exec B ip link set ip6gre$i up
	done

	Splat looks like:
	kernel BUG at net/core/skbuff.c:110!
	invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
	CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891
	Workqueue: ipv6_addrconf addrconf_dad_work
	RIP: 0010:skb_panic+0x15d/0x15f
	Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83
	41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89
	34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20
	RSP: 0018:ffff88810091f820 EFLAGS: 00010282
	RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000
	RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb
	RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031
	R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028
	R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0
	FS: 0000000000000000(0000) GS:ffff888117c00000(0000)
	knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	Call Trace:
	? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
	? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
	skb_put.cold.104+0x22/0x22
	ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
	? rcu_read_lock_sched_held+0x91/0xc0
	mld_newpack+0x398/0x8f0
	? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600
	? lock_contended+0xc40/0xc40
	add_grhead.isra.33+0x280/0x380
	add_grec+0x5ca/0xff0
	? mld_sendpack+0xf40/0xf40
	? lock_downgrade+0x690/0x690
	mld_send_initial_cr.part.34+0xb9/0x180
	ipv6_mc_dad_complete+0x15d/0x1b0
	addrconf_dad_completed+0x8d2/0xbb0
	? lock_downgrade+0x690/0x690
	? addrconf_rs_timer+0x660/0x660
	? addrconf_dad_work+0x73c/0x10e0
	addrconf_dad_work+0x73c/0x10e0

	Allowing high order page allocation could fix this problem.

	The Linux kernel CVE team has assigned CVE-2021-47146 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 4.4.271 with commit 0e35b7457b7b6e73ffeaaca1a577fdf1af0feca1
	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 4.9.271 with commit 17728616a4c85baf0edc975c60ba4e4157684d9a
	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 4.14.235 with commit 221142038f36d9f28b64e83e954774da4d4ccd17
	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 4.19.193 with commit 4b77ad9097067b31237eeeee0bf70f80849680a0
	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 5.4.124 with commit 37d697759958d111439080bab7e14d2b0e7b39f5
	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 5.10.42 with commit beb39adb150f8f3b516ddf7c39835a9788704d23
	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 5.12.9 with commit a76fb9ba545289379acf409653ad5f74417be59c
	Issue introduced in 2.6.35 with commit 72e09ad107e78d69ff4d3b97a69f0aad2b77280f and fixed in 5.13 with commit 020ef930b826d21c5446fdc9db80fd72a791bc21

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47146
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/mcast.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0e35b7457b7b6e73ffeaaca1a577fdf1af0feca1
	https://git.kernel.org/stable/c/17728616a4c85baf0edc975c60ba4e4157684d9a
	https://git.kernel.org/stable/c/221142038f36d9f28b64e83e954774da4d4ccd17
	https://git.kernel.org/stable/c/4b77ad9097067b31237eeeee0bf70f80849680a0
	https://git.kernel.org/stable/c/37d697759958d111439080bab7e14d2b0e7b39f5
	https://git.kernel.org/stable/c/beb39adb150f8f3b516ddf7c39835a9788704d23
	https://git.kernel.org/stable/c/a76fb9ba545289379acf409653ad5f74417be59c
	https://git.kernel.org/stable/c/020ef930b826d21c5446fdc9db80fd72a791bc21