CVE-2021-47451

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value<br /> <br /> Currently, when the rule related to IDLETIMER is added, idletimer_tg timer<br /> structure is initialized by kmalloc on executing idletimer_tg_create<br /> function. However, in this process timer-&gt;timer_type is not defined to<br /> a specific value. Thus, timer-&gt;timer_type has garbage value and it occurs<br /> kernel panic. So, this commit fixes the panic by initializing<br /> timer-&gt;timer_type using kzalloc instead of kmalloc.<br /> <br /> Test commands:<br /> # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test<br /> $ cat /sys/class/xt_idletimer/timers/test<br /> Killed<br /> <br /> Splat looks like:<br /> BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70<br /> Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917<br /> CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014<br /> Call Trace:<br /> dump_stack_lvl+0x6e/0x9c<br /> kasan_report.cold+0x112/0x117<br /> ? alarm_expires_remaining+0x49/0x70<br /> __asan_load8+0x86/0xb0<br /> alarm_expires_remaining+0x49/0x70<br /> idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]<br /> dev_attr_show+0x3c/0x60<br /> sysfs_kf_seq_show+0x11d/0x1f0<br /> ? device_remove_bin_file+0x20/0x20<br /> kernfs_seq_show+0xa4/0xb0<br /> seq_read_iter+0x29c/0x750<br /> kernfs_fop_read_iter+0x25a/0x2c0<br /> ? __fsnotify_parent+0x3d1/0x570<br /> ? iov_iter_init+0x70/0x90<br /> new_sync_read+0x2a7/0x3d0<br /> ? __x64_sys_llseek+0x230/0x230<br /> ? rw_verify_area+0x81/0x150<br /> vfs_read+0x17b/0x240<br /> ksys_read+0xd9/0x180<br /> ? vfs_write+0x460/0x460<br /> ? do_syscall_64+0x16/0xc0<br /> ? lockdep_hardirqs_on+0x79/0x120<br /> __x64_sys_read+0x43/0x50<br /> do_syscall_64+0x3b/0xc0<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f0cdc819142<br /> Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24<br /> RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000<br /> RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142<br /> RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003<br /> RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000<br /> R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0<br /> R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000