Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47126

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
15/03/2024
Last modified:
04/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions<br /> <br /> Reported by syzbot:<br /> HEAD commit: 90c911ad Merge tag &amp;#39;fixes&amp;#39; of git://git.kernel.org/pub/scm..<br /> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master<br /> dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7<br /> compiler: Debian clang version 11.0.1-2<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]<br /> BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732<br /> Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760<br /> <br /> CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:79 [inline]<br /> dump_stack+0x202/0x31e lib/dump_stack.c:120<br /> print_address_description+0x5f/0x3b0 mm/kasan/report.c:232<br /> __kasan_report mm/kasan/report.c:399 [inline]<br /> kasan_report+0x15c/0x200 mm/kasan/report.c:416<br /> fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]<br /> fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732<br /> fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536<br /> fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174<br /> rcu_do_batch kernel/rcu/tree.c:2559 [inline]<br /> rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794<br /> __do_softirq+0x372/0x7a6 kernel/softirq.c:345<br /> invoke_softirq kernel/softirq.c:221 [inline]<br /> __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422<br /> irq_exit_rcu+0x5/0x20 kernel/softirq.c:434<br /> sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100<br /> <br /> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632<br /> RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515<br /> Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d<br /> RSP: 0018:ffffc90009e06560 EFLAGS: 00000206<br /> RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1<br /> R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000<br /> R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4<br /> rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267<br /> rcu_read_lock include/linux/rcupdate.h:656 [inline]<br /> ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231<br /> ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212<br /> ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379<br /> ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982<br /> ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238<br /> ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638<br /> ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848<br /> ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900<br /> ext4_append+0x1a4/0x360 fs/ext4/namei.c:67<br /> ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768<br /> ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814<br /> vfs_mkdir+0x45b/0x640 fs/namei.c:3819<br /> ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]<br /> ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146<br /> ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193<br /> ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788<br /> ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355<br /> ovl_get_workdir fs/overlayfs/super.c:1492 [inline]<br /> ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035<br /> mount_nodev+0x52/0xe0 fs/super.c:1413<br /> legacy_get_tree+0xea/0x180 fs/fs_context.c:592<br /> vfs_get_tree+0x86/0x270 fs/super.c:1497<br /> do_new_mount fs/namespace.c:2903 [inline]<br /> path_mount+0x196f/0x2be0 fs/namespace.c:3233<br /> do_mount fs/namespace.c:3246 [inline]<br /> __do_sys_mount fs/namespace.c:3454 [inline]<br /> __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431<br /> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x4665f9<br /> Code: ff ff c3 66 2e 0f 1f 84 <br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.3 (including) 5.4.125 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.43 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.12.10 (excluding)
cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools