CVE-2021-47555
Severity:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/05/2024
Last modified:
24/05/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: vlan: fix underflow for the real_dev refcnt<br />
<br />
Inject error before dev_hold(real_dev) in register_vlan_dev(),<br />
and execute the following testcase:<br />
<br />
ip link add dev dummy1 type dummy<br />
ip link add name dummy1.100 link dummy1 type vlan id 100<br />
ip link del dev dummy1<br />
<br />
When the dummy netdevice is removed, we will get a WARNING as following:<br />
<br />
=======================================================================<br />
refcount_t: decrement hit 0; leaking memory.<br />
WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0<br />
<br />
and an endless loop of:<br />
<br />
=======================================================================<br />
unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824<br />
<br />
That is because dev_put(real_dev) in vlan_dev_free() be called without<br />
dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev<br />
underflow.<br />
<br />
Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of<br />
ndo_init(). That makes dev_hold() and dev_put() for vlan&#39;s real_dev<br />
symmetrical.