cve/published/2021/CVE-2021-47451.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47451: netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value

 Currently, when the rule related to IDLETIMER is added, idletimer_tg timer
 structure is initialized by kmalloc on executing idletimer_tg_create
 function. However, in this process timer->timer_type is not defined to
 a specific value. Thus, timer->timer_type has garbage value and it occurs
 kernel panic. So, this commit fixes the panic by initializing
 timer->timer_type using kzalloc instead of kmalloc.

 Test commands:
     # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test
     $ cat /sys/class/xt_idletimer/timers/test
       Killed

 Splat looks like:
     BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70
     Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917
     CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e
     Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
     Call Trace:
      dump_stack_lvl+0x6e/0x9c
      kasan_report.cold+0x112/0x117
      ? alarm_expires_remaining+0x49/0x70
      __asan_load8+0x86/0xb0
      alarm_expires_remaining+0x49/0x70
      idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]
      dev_attr_show+0x3c/0x60
      sysfs_kf_seq_show+0x11d/0x1f0
      ? device_remove_bin_file+0x20/0x20
      kernfs_seq_show+0xa4/0xb0
      seq_read_iter+0x29c/0x750
      kernfs_fop_read_iter+0x25a/0x2c0
      ? __fsnotify_parent+0x3d1/0x570
      ? iov_iter_init+0x70/0x90
      new_sync_read+0x2a7/0x3d0
      ? __x64_sys_llseek+0x230/0x230
      ? rw_verify_area+0x81/0x150
      vfs_read+0x17b/0x240
      ksys_read+0xd9/0x180
      ? vfs_write+0x460/0x460
      ? do_syscall_64+0x16/0xc0
      ? lockdep_hardirqs_on+0x79/0x120
      __x64_sys_read+0x43/0x50
      do_syscall_64+0x3b/0xc0
      entry_SYSCALL_64_after_hwframe+0x44/0xae
     RIP: 0033:0x7f0cdc819142
     Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
     RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
     RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142
     RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003
     RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000
     R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0
     R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000

 The Linux kernel CVE team has assigned CVE-2021-47451 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.7 with commit 68983a354a655c35d3fb204489d383a2a051fda7 and fixed in 5.10.76 with commit 2a670c323055282c9b72794a491d53cef86bbeaf
 	Issue introduced in 5.7 with commit 68983a354a655c35d3fb204489d383a2a051fda7 and fixed in 5.14.15 with commit cae7cab804c943d723d52724a3aeb07a3f4a2650
 	Issue introduced in 5.7 with commit 68983a354a655c35d3fb204489d383a2a051fda7 and fixed in 5.15 with commit 902c0b1887522a099aa4e1e6b4b476c2fe5dd13e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47451
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/xt_IDLETIMER.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf
 	https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650
 	https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47451: netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value

	Currently, when the rule related to IDLETIMER is added, idletimer_tg timer
	structure is initialized by kmalloc on executing idletimer_tg_create
	function. However, in this process timer->timer_type is not defined to
	a specific value. Thus, timer->timer_type has garbage value and it occurs
	kernel panic. So, this commit fixes the panic by initializing
	timer->timer_type using kzalloc instead of kmalloc.

	Test commands:
	# iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test
	$ cat /sys/class/xt_idletimer/timers/test
	Killed

	Splat looks like:
	BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70
	Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917
	CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
	Call Trace:
	dump_stack_lvl+0x6e/0x9c
	kasan_report.cold+0x112/0x117
	? alarm_expires_remaining+0x49/0x70
	__asan_load8+0x86/0xb0
	alarm_expires_remaining+0x49/0x70
	idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]
	dev_attr_show+0x3c/0x60
	sysfs_kf_seq_show+0x11d/0x1f0
	? device_remove_bin_file+0x20/0x20
	kernfs_seq_show+0xa4/0xb0
	seq_read_iter+0x29c/0x750
	kernfs_fop_read_iter+0x25a/0x2c0
	? __fsnotify_parent+0x3d1/0x570
	? iov_iter_init+0x70/0x90
	new_sync_read+0x2a7/0x3d0
	? __x64_sys_llseek+0x230/0x230
	? rw_verify_area+0x81/0x150
	vfs_read+0x17b/0x240
	ksys_read+0xd9/0x180
	? vfs_write+0x460/0x460
	? do_syscall_64+0x16/0xc0
	? lockdep_hardirqs_on+0x79/0x120
	__x64_sys_read+0x43/0x50
	do_syscall_64+0x3b/0xc0
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	RIP: 0033:0x7f0cdc819142
	Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
	RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
	RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142
	RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003
	RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000
	R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0
	R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000

	The Linux kernel CVE team has assigned CVE-2021-47451 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.7 with commit 68983a354a655c35d3fb204489d383a2a051fda7 and fixed in 5.10.76 with commit 2a670c323055282c9b72794a491d53cef86bbeaf
	Issue introduced in 5.7 with commit 68983a354a655c35d3fb204489d383a2a051fda7 and fixed in 5.14.15 with commit cae7cab804c943d723d52724a3aeb07a3f4a2650
	Issue introduced in 5.7 with commit 68983a354a655c35d3fb204489d383a2a051fda7 and fixed in 5.15 with commit 902c0b1887522a099aa4e1e6b4b476c2fe5dd13e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47451
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/xt_IDLETIMER.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf
	https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650
	https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e