Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2021 / CVE-2021-47418.mbox
blob: 476fb57f8f3c48608dd795da027cea1aa0733b1c [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2021-47418: net_sched: fix NULL deref in fifo_set_limit()
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net_sched: fix NULL deref in fifo_set_limit()
syzbot reported another NULL deref in fifo_set_limit() [1]
I could repro the issue with :
unshare -n
tc qd add dev lo root handle 1:0 tbf limit 200000 burst 70000 rate 100Mbit
tc qd replace dev lo parent 1:0 pfifo_fast
tc qd change dev lo root handle 1:0 tbf limit 300000 burst 70000 rate 100Mbit
pfifo_fast does not have a change() operation.
Make fifo_set_limit() more robust about this.
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 1cf99067 P4D 1cf99067 PUD 7ca49067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 14443 Comm: syz-executor959 Not tainted 5.15.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc9000e2f7310 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff8d6ecc00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff888024c27910 RDI: ffff888071e34000
RBP: ffff888071e34000 R08: 0000000000000001 R09: ffffffff8fcfb947
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888024c27910
R13: ffff888071e34018 R14: 0000000000000000 R15: ffff88801ef74800
FS: 00007f321d897700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000722c3000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
fifo_set_limit net/sched/sch_fifo.c:242 [inline]
fifo_set_limit+0x198/0x210 net/sched/sch_fifo.c:227
tbf_change+0x6ec/0x16d0 net/sched/sch_tbf.c:418
qdisc_change net/sched/sch_api.c:1332 [inline]
tc_modify_qdisc+0xd9a/0x1a60 net/sched/sch_api.c:1634
rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
sock_sendmsg_nosec net/socket.c:704 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:724
____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
___sys_sendmsg+0xf3/0x170 net/socket.c:2463
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The Linux kernel CVE team has assigned CVE-2021-47418 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.27 with commit fb0305ce1b03f6ff17f84f2c63daccecb45f2805 and fixed in 4.4.289 with commit 0dd7ddc462b9c2d31eb5a9926a2cc63eaa3e9f52
Issue introduced in 2.6.27 with commit fb0305ce1b03f6ff17f84f2c63daccecb45f2805 and fixed in 4.9.287 with commit 08d7056e8e250fd2e67dbea5be5fdecdd75bf6b4
Issue introduced in 2.6.27 with commit fb0305ce1b03f6ff17f84f2c63daccecb45f2805 and fixed in 4.14.251 with commit 26af64d71b6277841285fa40e3f7164a378dfda9
Issue introduced in 2.6.27 with commit fb0305ce1b03f6ff17f84f2c63daccecb45f2805 and fixed in 4.19.211 with commit d07098f45be868a9cdce6c616563c36c64dbbd87
Issue introduced in 2.6.27 with commit fb0305ce1b03f6ff17f84f2c63daccecb45f2805 and fixed in 5.4.153 with commit c951a3be5e8803e93bb49a0aca0d30457d3c1b67
Issue introduced in 2.6.27 with commit fb0305ce1b03f6ff17f84f2c63daccecb45f2805 and fixed in 5.10.73 with commit acff2d182c0768a713cee77442caeb07668bd68f
Issue introduced in 2.6.27 with commit fb0305ce1b03f6ff17f84f2c63daccecb45f2805 and fixed in 5.14.12 with commit fb58cd7991747b5e0b110c98c922d7b0e47a1f14
Issue introduced in 2.6.27 with commit fb0305ce1b03f6ff17f84f2c63daccecb45f2805 and fixed in 5.15 with commit 560ee196fe9e5037e5015e2cdb14b3aecb1cd7dc
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47418
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/sched/sch_fifo.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/0dd7ddc462b9c2d31eb5a9926a2cc63eaa3e9f52
https://git.kernel.org/stable/c/08d7056e8e250fd2e67dbea5be5fdecdd75bf6b4
https://git.kernel.org/stable/c/26af64d71b6277841285fa40e3f7164a378dfda9
https://git.kernel.org/stable/c/d07098f45be868a9cdce6c616563c36c64dbbd87
https://git.kernel.org/stable/c/c951a3be5e8803e93bb49a0aca0d30457d3c1b67
https://git.kernel.org/stable/c/acff2d182c0768a713cee77442caeb07668bd68f
https://git.kernel.org/stable/c/fb58cd7991747b5e0b110c98c922d7b0e47a1f14
https://git.kernel.org/stable/c/560ee196fe9e5037e5015e2cdb14b3aecb1cd7dc