CVE-2021-46954

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets<br /> <br /> when &amp;#39;act_mirred&amp;#39; tries to fragment IPv4 packets that had been previously<br /> re-assembled using &amp;#39;act_ct&amp;#39;, splats like the following can be observed on<br /> kernels built with KASAN:<br /> <br /> BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60<br /> Read of size 1 at addr ffff888147009574 by task ping/947<br /> <br /> CPU: 0 PID: 947 Comm: ping Not tainted 5.12.0-rc6+ #418<br /> Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack+0x92/0xc1<br /> print_address_description.constprop.7+0x1a/0x150<br /> kasan_report.cold.13+0x7f/0x111<br /> ip_do_fragment+0x1b03/0x1f60<br /> sch_fragment+0x4bf/0xe40<br /> tcf_mirred_act+0xc3d/0x11a0 [act_mirred]<br /> tcf_action_exec+0x104/0x3e0<br /> fl_classify+0x49a/0x5e0 [cls_flower]<br /> tcf_classify_ingress+0x18a/0x820<br /> __netif_receive_skb_core+0xae7/0x3340<br /> __netif_receive_skb_one_core+0xb6/0x1b0<br /> process_backlog+0x1ef/0x6c0<br /> __napi_poll+0xaa/0x500<br /> net_rx_action+0x702/0xac0<br /> __do_softirq+0x1e4/0x97f<br /> do_softirq+0x71/0x90<br /> <br /> __local_bh_enable_ip+0xdb/0xf0<br /> ip_finish_output2+0x760/0x2120<br /> ip_do_fragment+0x15a5/0x1f60<br /> __ip_finish_output+0x4c2/0xea0<br /> ip_output+0x1ca/0x4d0<br /> ip_send_skb+0x37/0xa0<br /> raw_sendmsg+0x1c4b/0x2d00<br /> sock_sendmsg+0xdb/0x110<br /> __sys_sendto+0x1d7/0x2b0<br /> __x64_sys_sendto+0xdd/0x1b0<br /> do_syscall_64+0x33/0x40<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f82e13853eb<br /> Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89<br /> RSP: 002b:00007ffe01fad888 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 00005571aac13700 RCX: 00007f82e13853eb<br /> RDX: 0000000000002330 RSI: 00005571aac13700 RDI: 0000000000000003<br /> RBP: 0000000000002330 R08: 00005571aac10500 R09: 0000000000000010<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe01faefb0<br /> R13: 00007ffe01fad890 R14: 00007ffe01fad980 R15: 00005571aac0f0a0<br /> <br /> The buggy address belongs to the page:<br /> page:000000001dff2e03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147009<br /> flags: 0x17ffffc0001000(reserved)<br /> raw: 0017ffffc0001000 ffffea00051c0248 ffffea00051c0248 0000000000000000<br /> raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888147009400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff888147009480: f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00<br /> &gt;ffff888147009500: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2<br /> ^<br /> ffff888147009580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff888147009600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2<br /> <br /> for IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then,<br /> in the following call graph:<br /> <br /> ip_do_fragment()<br /> ip_skb_dst_mtu()<br /> ip_dst_mtu_maybe_forward()<br /> ip_mtu_locked()<br /> <br /> the pointer to struct dst_entry is used as pointer to struct rtable: this<br /> turns the access to struct members like rt_mtu_locked into an OOB read in<br /> the stack. Fix this changing the temporary variable used for IPv4 packets<br /> in sch_fragment(), similarly to what is done for IPv6 few lines below.