Lucene search

K
cve416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2021-47452
HistoryMay 22, 2024 - 7:15 a.m.

CVE-2021-47452

2024-05-2207:15:10
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
31
linux kernel
netfilter vulnerability
nf_tables
netdev events
netns removal
syzbot
harmless warn
unshare command
base hook unregister
notifier
nvd

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: skip netdev events generated on netns removal

syzbot reported following (harmless) WARN:

WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468
nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [inline]
nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [inline]
__nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524
nft_netdev_event net/netfilter/nft_chain_filter.c:351 [inline]
nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382

reproducer:
unshare -n bash -c ‘ip link add br0 type bridge; nft add table netdev t ;
nft add chain netdev t ingress { type filter hook ingress device “br0”
priority 0; policy drop; }’

Problem is that when netns device exit hooks create the UNREGISTER
event, the .pre_exit hook for nf_tables core has already removed the
base hook. Notifier attempts to do this again.

The need to do base hook unregister unconditionally was needed in the past,
because notifier was last stage where reg->dev dereference was safe.

Now that nf_tables does the hook removal in .pre_exit, this isn’t
needed anymore.

Affected configurations

Vulners
Node
linuxlinux_kernelRange5.115.14.15
OR
linuxlinux_kernelRange5.15.0

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/netfilter/nft_chain_filter.c"
    ],
    "versions": [
      {
        "version": "767d1216bff8",
        "lessThan": "90c7c58aa2bd",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "767d1216bff8",
        "lessThan": "68a3765c659f",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/netfilter/nft_chain_filter.c"
    ],
    "versions": [
      {
        "version": "5.11",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.11",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.14.15",
        "lessThanOrEqual": "5.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%