CVE-2021-47175

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: fq_pie: fix OOB access in the traffic path<br /> <br /> the following script:<br /> <br /> # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2<br /> # tc qdisc add dev eth0 clsact<br /> # tc filter add dev eth0 egress matchall action skbedit priority 0x10002<br /> # ping 192.0.2.2 -I eth0 -c2 -w1 -q<br /> <br /> produces the following splat:<br /> <br /> BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]<br /> Read of size 4 at addr ffff888171306924 by task ping/942<br /> <br /> CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441<br /> Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014<br /> Call Trace:<br /> dump_stack+0x92/0xc1<br /> print_address_description.constprop.7+0x1a/0x150<br /> kasan_report.cold.13+0x7f/0x111<br /> fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]<br /> __dev_queue_xmit+0x1034/0x2b10<br /> ip_finish_output2+0xc62/0x2120<br /> __ip_finish_output+0x553/0xea0<br /> ip_output+0x1ca/0x4d0<br /> ip_send_skb+0x37/0xa0<br /> raw_sendmsg+0x1c4b/0x2d00<br /> sock_sendmsg+0xdb/0x110<br /> __sys_sendto+0x1d7/0x2b0<br /> __x64_sys_sendto+0xdd/0x1b0<br /> do_syscall_64+0x3c/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7fe69735c3eb<br /> Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89<br /> RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb<br /> RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003<br /> RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260<br /> R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0<br /> <br /> Allocated by task 917:<br /> kasan_save_stack+0x19/0x40<br /> __kasan_kmalloc+0x7f/0xa0<br /> __kmalloc_node+0x139/0x280<br /> fq_pie_init+0x555/0x8e8 [sch_fq_pie]<br /> qdisc_create+0x407/0x11b0<br /> tc_modify_qdisc+0x3c2/0x17e0<br /> rtnetlink_rcv_msg+0x346/0x8e0<br /> netlink_rcv_skb+0x120/0x380<br /> netlink_unicast+0x439/0x630<br /> netlink_sendmsg+0x719/0xbf0<br /> sock_sendmsg+0xe2/0x110<br /> ____sys_sendmsg+0x5ba/0x890<br /> ___sys_sendmsg+0xe9/0x160<br /> __sys_sendmsg+0xd3/0x170<br /> do_syscall_64+0x3c/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The buggy address belongs to the object at ffff888171306800<br /> which belongs to the cache kmalloc-256 of size 256<br /> The buggy address is located 36 bytes to the right of<br /> 256-byte region [ffff888171306800, ffff888171306900)<br /> The buggy address belongs to the page:<br /> page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306<br /> head:00000000bcfb624e order:1 compound_mapcount:0<br /> flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)<br /> raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40<br /> raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc<br /> &gt;ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ^<br /> ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> <br /> fix fq_pie traffic path to avoid selecting &amp;#39;q-&gt;flows + q-&gt;flows_cnt&amp;#39; as a<br /> valid flow: it&amp;#39;s an address beyond the allocated memory.