Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47595

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/06/2024
Last modified:
31/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_ets: don&amp;#39;t remove idle classes from the round-robin list<br /> <br /> Shuang reported that the following script:<br /> <br /> 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7<br /> 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp &amp;<br /> 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3<br /> <br /> crashes systematically when line 2) is commented:<br /> <br /> list_del corruption, ffff8e028404bd30-&gt;next is LIST_POISON1 (dead000000000100)<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/list_debug.c:47!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478<br /> Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014<br /> RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47<br /> Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe<br /> RSP: 0018:ffffae46807a3888 EFLAGS: 00010246<br /> RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202<br /> RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff<br /> RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff<br /> R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800<br /> R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400<br /> FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> ets_qdisc_change+0x58b/0xa70 [sch_ets]<br /> tc_modify_qdisc+0x323/0x880<br /> rtnetlink_rcv_msg+0x169/0x4a0<br /> netlink_rcv_skb+0x50/0x100<br /> netlink_unicast+0x1a5/0x280<br /> netlink_sendmsg+0x257/0x4d0<br /> sock_sendmsg+0x5b/0x60<br /> ____sys_sendmsg+0x1f2/0x260<br /> ___sys_sendmsg+0x7c/0xc0<br /> __sys_sendmsg+0x57/0xa0<br /> do_syscall_64+0x3a/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7efdc8031338<br /> Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55<br /> RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338<br /> RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940<br /> R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001<br /> R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000<br /> <br /> Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets]<br /> ---[ end trace f35878d1912655c2 ]---<br /> RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47<br /> Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe<br /> RSP: 0018:ffffae46807a3888 EFLAGS: 00010246<br /> RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202<br /> RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff<br /> RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff<br /> R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800<br /> R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400<br /> FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000000<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.83 (including) 5.10.88 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.6 (including) 5.15.11 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools