CVE-2021-47363

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nexthop: Fix division by zero while replacing a resilient group<br /> <br /> The resilient nexthop group torture tests in fib_nexthop.sh exposed a<br /> possible division by zero while replacing a resilient group [1]. The<br /> division by zero occurs when the data path sees a resilient nexthop<br /> group with zero buckets.<br /> <br /> The tests replace a resilient nexthop group in a loop while traffic is<br /> forwarded through it. The tests do not specify the number of buckets<br /> while performing the replacement, resulting in the kernel allocating a<br /> stub resilient table (i.e, &amp;#39;struct nh_res_table&amp;#39;) with zero buckets.<br /> <br /> This table should never be visible to the data path, but the old nexthop<br /> group (i.e., &amp;#39;oldg&amp;#39;) might still be used by the data path when the stub<br /> table is assigned to it.<br /> <br /> Fix this by only assigning the stub table to the old nexthop group after<br /> making sure the group is no longer used by the data path.<br /> <br /> Tested with fib_nexthops.sh:<br /> <br /> Tests passed: 222<br /> Tests failed: 0<br /> <br /> [1]<br /> divide error: 0000 [#1] PREEMPT SMP KASAN<br /> CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014<br /> RIP: 0010:nexthop_select_path+0x2d2/0x1a80<br /> [...]<br /> Call Trace:<br /> fib_select_multipath+0x79b/0x1530<br /> fib_select_path+0x8fb/0x1c10<br /> ip_route_output_key_hash_rcu+0x1198/0x2da0<br /> ip_route_output_key_hash+0x190/0x340<br /> ip_route_output_flow+0x21/0x120<br /> raw_sendmsg+0x91d/0x2e10<br /> inet_sendmsg+0x9e/0xe0<br /> __sys_sendto+0x23d/0x360<br /> __x64_sys_sendto+0xe1/0x1b0<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae