Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2021 / CVE-2021-47247.json
blob: 0292c55080f1be11547864b0b690e22177b752a3 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix use-after-free of encap entry in neigh update handler\n\nFunction mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock\nremoval from TC filter update path and properly handle concurrent encap\nentry insertion/deletion which can lead to following use-after-free:\n\n [23827.464923] ==================================================================\n [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635\n [23827.472251]\n [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5\n [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]\n [23827.476731] Call Trace:\n [23827.477260] dump_stack+0xbb/0x107\n [23827.477906] print_address_description.constprop.0+0x18/0x140\n [23827.478896] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.479879] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.480905] kasan_report.cold+0x7c/0xd8\n [23827.481701] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.482744] kasan_check_range+0x145/0x1a0\n [23827.493112] mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.494054] ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]\n [23827.495296] mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]\n [23827.496338] ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]\n [23827.497486] ? read_word_at_a_time+0xe/0x20\n [23827.498250] ? strscpy+0xa0/0x2a0\n [23827.498889] process_one_work+0x8ac/0x14e0\n [23827.499638] ? lockdep_hardirqs_on_prepare+0x400/0x400\n [23827.500537] ? pwq_dec_nr_in_flight+0x2c0/0x2c0\n [23827.501359] ? rwlock_bug.part.0+0x90/0x90\n [23827.502116] worker_thread+0x53b/0x1220\n [23827.502831] ? process_one_work+0x14e0/0x14e0\n [23827.503627] kthread+0x328/0x3f0\n [23827.504254] ? _raw_spin_unlock_irq+0x24/0x40\n [23827.505065] ? __kthread_bind_mask+0x90/0x90\n [23827.505912] ret_from_fork+0x1f/0x30\n [23827.506621]\n [23827.506987] Allocated by task 28248:\n [23827.507694] kasan_save_stack+0x1b/0x40\n [23827.508476] __kasan_kmalloc+0x7c/0x90\n [23827.509197] mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]\n [23827.510194] mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]\n [23827.511218] __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]\n [23827.512234] mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]\n [23827.513298] tc_setup_cb_add+0x1d5/0x420\n [23827.514023] fl_hw_replace_filter+0x382/0x6a0 [cls_flower]\n [23827.514975] fl_change+0x2ceb/0x4a51 [cls_flower]\n [23827.515821] tc_new_tfilter+0x89a/0x2070\n [23827.516548] rtnetlink_rcv_msg+0x644/0x8c0\n [23827.517300] netlink_rcv_skb+0x11d/0x340\n [23827.518021] netlink_unicast+0x42b/0x700\n [23827.518742] netlink_sendmsg+0x743/0xc20\n [23827.519467] sock_sendmsg+0xb2/0xe0\n [23827.520131] ____sys_sendmsg+0x590/0x770\n [23827.520851] ___sys_sendmsg+0xd8/0x160\n [23827.521552] __sys_sendmsg+0xb7/0x140\n [23827.522238] do_syscall_64+0x3a/0x70\n [23827.522907] entry_SYSCALL_64_after_hwframe+0x44/0xae\n [23827.523797]\n [23827.524163] Freed by task 25948:\n [23827.524780] kasan_save_stack+0x1b/0x40\n [23827.525488] kasan_set_track+0x1c/0x30\n [23827.526187] kasan_set_free_info+0x20/0x30\n [23827.526968] __kasan_slab_free+0xed/0x130\n [23827.527709] slab_free_freelist_hook+0xcf/0x1d0\n [23827.528528] kmem_cache_free_bulk+0x33a/0x6e0\n [23827.529317] kfree_rcu_work+0x55f/0xb70\n [23827.530024] process_one_work+0x8ac/0x14e0\n [23827.530770] worker_thread+0x53b/0x1220\n [23827.531480] kthread+0x328/0x3f0\n [23827.532114] ret_from_fork+0x1f/0x30\n [23827.532785]\n [23827.533147] Last potentially related work creation:\n [23827.534007] kasan_save_stack+0x1b/0x40\n [23827.534710] kasan_record_aux_stack+0xab/0xc0\n [23827.535492] kvfree_call_rcu+0x31/0x7b0\n [23827.536206] mlx5e_tc_del\n---truncated---"
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c",
"drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c",
"drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.h"
],
"versions": [
{
"version": "2a1f1768fa17805ca2e937e2e034a7c3433d3bdc",
"lessThan": "0d1e7a7964ce6abb28883a3906bbc20fe0009f03",
"status": "affected",
"versionType": "git"
},
{
"version": "2a1f1768fa17805ca2e937e2e034a7c3433d3bdc",
"lessThan": "b6447b72aca571632e71bb73a797118d5ce46a93",
"status": "affected",
"versionType": "git"
},
{
"version": "2a1f1768fa17805ca2e937e2e034a7c3433d3bdc",
"lessThan": "fb1a3132ee1ac968316e45d21a48703a6db0b6c3",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/rep/neigh.c",
"drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c",
"drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.h"
],
"versions": [
{
"version": "5.4",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.4",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.237",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.12.13",
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.13",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4",
"versionEndExcluding": "5.10.237"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4",
"versionEndExcluding": "5.12.13"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4",
"versionEndExcluding": "5.13"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/0d1e7a7964ce6abb28883a3906bbc20fe0009f03"
},
{
"url": "https://git.kernel.org/stable/c/b6447b72aca571632e71bb73a797118d5ce46a93"
},
{
"url": "https://git.kernel.org/stable/c/fb1a3132ee1ac968316e45d21a48703a6db0b6c3"
}
],
"title": "net/mlx5e: Fix use-after-free of encap entry in neigh update handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2021-47247",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}