CVE-2021-47222
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
21/05/2024
Last modified:
29/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: bridge: fix vlan tunnel dst refcnt when egressing<br />
<br />
The egress tunnel code uses dst_clone() and directly sets the result<br />
which is wrong because the entry might have 0 refcnt or be already deleted,<br />
causing number of problems. It also triggers the WARN_ON() in dst_hold()[1]<br />
when a refcnt couldn&#39;t be taken. Fix it by using dst_hold_safe() and<br />
checking if a reference was actually taken before setting the dst.<br />
<br />
[1] dmesg WARN_ON log and following refcnt errors<br />
WARNING: CPU: 5 PID: 38 at include/net/dst.h:230 br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge]<br />
Modules linked in: 8021q garp mrp bridge stp llc bonding ipv6 virtio_net<br />
CPU: 5 PID: 38 Comm: ksoftirqd/5 Kdump: loaded Tainted: G W 5.13.0-rc3+ #360<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014<br />
RIP: 0010:br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge]<br />
Code: e8 85 bc 01 e1 45 84 f6 74 90 45 31 f6 85 db 48 c7 c7 a0 02 19 a0 41 0f 94 c6 31 c9 31 d2 44 89 f6 e8 64 bc 01 e1 85 db 75 02 0b 31 c9 31 d2 44 89 f6 48 c7 c7 70 02 19 a0 e8 4b bc 01 e1 49<br />
RSP: 0018:ffff8881003d39e8 EFLAGS: 00010246<br />
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000<br />
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffa01902a0<br />
RBP: ffff8881040c6700 R08: 0000000000000000 R09: 0000000000000001<br />
R10: 2ce93d0054fe0d00 R11: 54fe0d00000e0000 R12: ffff888109515000<br />
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000401<br />
FS: 0000000000000000(0000) GS:ffff88822bf40000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007f42ba70f030 CR3: 0000000109926000 CR4: 00000000000006e0<br />
Call Trace:<br />
br_handle_vlan+0xbc/0xca [bridge]<br />
__br_forward+0x23/0x164 [bridge]<br />
deliver_clone+0x41/0x48 [bridge]<br />
br_handle_frame_finish+0x36f/0x3aa [bridge]<br />
? skb_dst+0x2e/0x38 [bridge]<br />
? br_handle_ingress_vlan_tunnel+0x3e/0x1c8 [bridge]<br />
? br_handle_frame_finish+0x3aa/0x3aa [bridge]<br />
br_handle_frame+0x2c3/0x377 [bridge]<br />
? __skb_pull+0x33/0x51<br />
? vlan_do_receive+0x4f/0x36a<br />
? br_handle_frame_finish+0x3aa/0x3aa [bridge]<br />
__netif_receive_skb_core+0x539/0x7c6<br />
? __list_del_entry_valid+0x16e/0x1c2<br />
__netif_receive_skb_list_core+0x6d/0xd6<br />
netif_receive_skb_list_internal+0x1d9/0x1fa<br />
gro_normal_list+0x22/0x3e<br />
dev_gro_receive+0x55b/0x600<br />
? detach_buf_split+0x58/0x140<br />
napi_gro_receive+0x94/0x12e<br />
virtnet_poll+0x15d/0x315 [virtio_net]<br />
__napi_poll+0x2c/0x1c9<br />
net_rx_action+0xe6/0x1fb<br />
__do_softirq+0x115/0x2d8<br />
run_ksoftirqd+0x18/0x20<br />
smpboot_thread_fn+0x183/0x19c<br />
? smpboot_unregister_percpu_thread+0x66/0x66<br />
kthread+0x10a/0x10f<br />
? kthread_mod_delayed_work+0xb6/0xb6<br />
ret_from_fork+0x22/0x30<br />
---[ end trace 49f61b07f775fd2b ]---<br />
dst_release: dst:00000000c02d677a refcnt:-1<br />
dst_release underflow
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.11 (including) | 4.14.238 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.196 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.128 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.46 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.12.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/25053a8404ba17ca48f5553d487afc1882e9f56c
- https://git.kernel.org/stable/c/42020f7f37a90d24b9551f5f7eba3f7c7c102968
- https://git.kernel.org/stable/c/79855be6445b6592bddb7bd7167083ec8cdbd73f
- https://git.kernel.org/stable/c/84fc1c944e45ab317e2e70a0e7f76fa2a5e43b6e
- https://git.kernel.org/stable/c/cfc579f9d89af4ada58c69b03bcaa4887840f3b3
- https://git.kernel.org/stable/c/fc7fdd8c5c2ad2fe3e297698be9d4dbe4a4e0579
- https://git.kernel.org/stable/c/25053a8404ba17ca48f5553d487afc1882e9f56c
- https://git.kernel.org/stable/c/42020f7f37a90d24b9551f5f7eba3f7c7c102968
- https://git.kernel.org/stable/c/79855be6445b6592bddb7bd7167083ec8cdbd73f
- https://git.kernel.org/stable/c/84fc1c944e45ab317e2e70a0e7f76fa2a5e43b6e
- https://git.kernel.org/stable/c/cfc579f9d89af4ada58c69b03bcaa4887840f3b3
- https://git.kernel.org/stable/c/fc7fdd8c5c2ad2fe3e297698be9d4dbe4a4e0579