CVE-2021-46912

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: Make tcp_allowed_congestion_control readonly in non-init netns<br /> <br /> Currently, tcp_allowed_congestion_control is global and writable;<br /> writing to it in any net namespace will leak into all other net<br /> namespaces.<br /> <br /> tcp_available_congestion_control and tcp_allowed_congestion_control are<br /> the only sysctls in ipv4_net_table (the per-netns sysctl table) with a<br /> NULL data pointer; their handlers (proc_tcp_available_congestion_control<br /> and proc_allowed_congestion_control) have no other way of referencing a<br /> struct net. Thus, they operate globally.<br /> <br /> Because ipv4_net_table does not use designated initializers, there is no<br /> easy way to fix up this one "bad" table entry. However, the data pointer<br /> updating logic shouldn&amp;#39;t be applied to NULL pointers anyway, so we<br /> instead force these entries to be read-only.<br /> <br /> These sysctls used to exist in ipv4_table (init-net only), but they were<br /> moved to the per-net ipv4_net_table, presumably without realizing that<br /> tcp_allowed_congestion_control was writable and thus introduced a leak.<br /> <br /> Because the intent of that commit was only to know (i.e. read) "which<br /> congestion algorithms are available or allowed", this read-only solution<br /> should be sufficient.<br /> <br /> The logic added in recent commit<br /> 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls")<br /> does not and cannot check for NULL data pointers, because<br /> other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have<br /> .data=NULL but use other methods (.extra2) to access the struct net.