Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2021 / CVE-2021-47515.json
blob: 4874d1078c1474384ad1f2b562b7a4b85a208f06 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseg6: fix the iif in the IPv6 socket control block\n\nWhen an IPv4 packet is received, the ip_rcv_core(...) sets the receiving\ninterface index into the IPv4 socket control block (v5.16-rc4,\nnet/ipv4/ip_input.c line 510):\n\n IPCB(skb)->iif = skb->skb_iif;\n\nIf that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH\nheader, the seg6_do_srh_encap(...) performs the required encapsulation.\nIn this case, the seg6_do_srh_encap function clears the IPv6 socket control\nblock (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):\n\n memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));\n\nThe memset(...) was introduced in commit ef489749aae5 (\"ipv6: sr: clear\nIP6CB(skb) on SRH ip4ip6 encapsulation\") a long time ago (2019-01-29).\n\nSince the IPv6 socket control block and the IPv4 socket control block share\nthe same memory area (skb->cb), the receiving interface index info is lost\n(IP6CB(skb)->iif is set to zero).\n\nAs a side effect, that condition triggers a NULL pointer dereference if\ncommit 0857d6f8c759 (\"ipv6: When forwarding count rx stats on the orig\nnetdev\") is applied.\n\nTo fix that issue, we set the IP6CB(skb)->iif with the index of the\nreceiving interface once again."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/ipv6/seg6_iptunnel.c"
],
"versions": [
{
"version": "c630ec8bdadae9d557b1ceb9d6c06e149108a0d4",
"lessThan": "b16d412e5f79734033df04e97d7ea2f50a8e9fe3",
"status": "affected",
"versionType": "git"
},
{
"version": "2f704348c93ff8119e642dae6a72327f90b82810",
"lessThan": "6431e71093f3da586a00c6d931481ffb0dc2db0e",
"status": "affected",
"versionType": "git"
},
{
"version": "ef489749aae508e6f17886775c075f12ff919fb1",
"lessThan": "ef8804e47c0a44ae106ead1740408af5ea6c6ee9",
"status": "affected",
"versionType": "git"
},
{
"version": "ef489749aae508e6f17886775c075f12ff919fb1",
"lessThan": "666521b3852d2b2f52d570f9122b1e4b50d96831",
"status": "affected",
"versionType": "git"
},
{
"version": "ef489749aae508e6f17886775c075f12ff919fb1",
"lessThan": "98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1",
"status": "affected",
"versionType": "git"
},
{
"version": "ef489749aae508e6f17886775c075f12ff919fb1",
"lessThan": "ae68d93354e5bf5191ee673982251864ea24dd5c",
"status": "affected",
"versionType": "git"
},
{
"version": "b71b7e0280f47b4ac633fbfd153423814ea87810",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/ipv6/seg6_iptunnel.c"
],
"versions": [
{
"version": "5.0",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.0",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.14.258",
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.221",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.165",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.85",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.8",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.16",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.98",
"versionEndExcluding": "4.14.258"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.20",
"versionEndExcluding": "4.19.221"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0",
"versionEndExcluding": "5.4.165"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0",
"versionEndExcluding": "5.10.85"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0",
"versionEndExcluding": "5.15.8"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0",
"versionEndExcluding": "5.16"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20.7"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/b16d412e5f79734033df04e97d7ea2f50a8e9fe3"
},
{
"url": "https://git.kernel.org/stable/c/6431e71093f3da586a00c6d931481ffb0dc2db0e"
},
{
"url": "https://git.kernel.org/stable/c/ef8804e47c0a44ae106ead1740408af5ea6c6ee9"
},
{
"url": "https://git.kernel.org/stable/c/666521b3852d2b2f52d570f9122b1e4b50d96831"
},
{
"url": "https://git.kernel.org/stable/c/98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1"
},
{
"url": "https://git.kernel.org/stable/c/ae68d93354e5bf5191ee673982251864ea24dd5c"
}
],
"title": "seg6: fix the iif in the IPv6 socket control block",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2021-47515",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}