Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47590

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/06/2024
Last modified:
27/08/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix deadlock in __mptcp_push_pending()<br /> <br /> __mptcp_push_pending() may call mptcp_flush_join_list() with subflow<br /> socket lock held. If such call hits mptcp_sockopt_sync_all() then<br /> subsequently __mptcp_sockopt_sync() could try to lock the subflow<br /> socket for itself, causing a deadlock.<br /> <br /> sysrq: Show Blocked State<br /> task:ss-server state:D stack: 0 pid: 938 ppid: 1 flags:0x00000000<br /> Call Trace:<br /> <br /> __schedule+0x2d6/0x10c0<br /> ? __mod_memcg_state+0x4d/0x70<br /> ? csum_partial+0xd/0x20<br /> ? _raw_spin_lock_irqsave+0x26/0x50<br /> schedule+0x4e/0xc0<br /> __lock_sock+0x69/0x90<br /> ? do_wait_intr_irq+0xa0/0xa0<br /> __lock_sock_fast+0x35/0x50<br /> mptcp_sockopt_sync_all+0x38/0xc0<br /> __mptcp_push_pending+0x105/0x200<br /> mptcp_sendmsg+0x466/0x490<br /> sock_sendmsg+0x57/0x60<br /> __sys_sendto+0xf0/0x160<br /> ? do_wait_intr_irq+0xa0/0xa0<br /> ? fpregs_restore_userregs+0x12/0xd0<br /> __x64_sys_sendto+0x20/0x30<br /> do_syscall_64+0x38/0x90<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f9ba546c2d0<br /> RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0<br /> RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234<br /> RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060<br /> R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8<br /> <br /> <br /> Fix the issue by using __mptcp_flush_join_list() instead of plain<br /> mptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by<br /> Florian. The sockopt sync will be deferred to the workqueue.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.13 (including) 5.15.11 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools