CVE-2021-47588
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/06/2024
Last modified:
01/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
sit: do not call ipip6_dev_free() from sit_init_net()<br />
<br />
ipip6_dev_free is sit dev->priv_destructor, already called<br />
by register_netdevice() if something goes wrong.<br />
<br />
Alternative would be to make ipip6_dev_free() robust against<br />
multiple invocations, but other drivers do not implement this<br />
strategy.<br />
<br />
syzbot reported:<br />
<br />
dst_release underflow<br />
WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173<br />
Modules linked in:<br />
CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br />
RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173<br />
Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48<br />
RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246<br />
RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000<br />
RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000<br />
RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c<br />
R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358<br />
R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000<br />
FS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160<br />
ipip6_dev_free net/ipv6/sit.c:1414 [inline]<br />
sit_init_net+0x229/0x550 net/ipv6/sit.c:1936<br />
ops_init+0x313/0x430 net/core/net_namespace.c:140<br />
setup_net+0x35b/0x9d0 net/core/net_namespace.c:326<br />
copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470<br />
create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110<br />
unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226<br />
ksys_unshare+0x57d/0xb50 kernel/fork.c:3075<br />
__do_sys_unshare kernel/fork.c:3146 [inline]<br />
__se_sys_unshare kernel/fork.c:3144 [inline]<br />
__x64_sys_unshare+0x34/0x40 kernel/fork.c:3144<br />
do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
RIP: 0033:0x7f66c882ce99<br />
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48<br />
RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110<br />
RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99<br />
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200<br />
RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br />
R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.11.9 (including) | 4.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.12.1 (including) | 4.14.259 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.222 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.168 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.88 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:4.12:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:4.12:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:4.12:rc7:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/44a6c846bc3a7efe7d394bab8b2ae3b7f580e190
- https://git.kernel.org/stable/c/4e1797914d8f223726ff6ae5ece4f97d73f21bab
- https://git.kernel.org/stable/c/6f46c59e60b64620d5d386c8ee2eaa11ebe3b595
- https://git.kernel.org/stable/c/ad0ed314d6167b212939e3839428ba0c8bb16adb
- https://git.kernel.org/stable/c/e28587cc491ef0f3c51258fdc87fbc386b1d4c59
- https://git.kernel.org/stable/c/e56b65c1e74d7f706d74b51baba15187be2fb4b5
- https://git.kernel.org/stable/c/44a6c846bc3a7efe7d394bab8b2ae3b7f580e190
- https://git.kernel.org/stable/c/4e1797914d8f223726ff6ae5ece4f97d73f21bab
- https://git.kernel.org/stable/c/6f46c59e60b64620d5d386c8ee2eaa11ebe3b595
- https://git.kernel.org/stable/c/ad0ed314d6167b212939e3839428ba0c8bb16adb
- https://git.kernel.org/stable/c/e28587cc491ef0f3c51258fdc87fbc386b1d4c59
- https://git.kernel.org/stable/c/e56b65c1e74d7f706d74b51baba15187be2fb4b5