Lucene search

K
cve416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2021-47546
HistoryMay 24, 2024 - 3:15 p.m.

CVE-2021-47546

2024-05-2415:15:19
CWE-401
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
25
linux kernel
ipv6
memory leak
nftables
firewall rule
patch
routing rules
security vulnerability

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%

In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix memory leak in fib6_rule_suppress

The kernel leaks memory when a fib rule is present in IPv6 nftables
firewall rules and a suppress_prefix rule is present in the IPv6 routing
rules (used by certain tools such as wg-quick). In such scenarios, every
incoming packet will leak an allocation in ip6_dst_cache slab cache.

After some hours of bpftrace-ing and source code reading, I tracked
down the issue to ca7a03c41753 (“ipv6: do not free rt if
FIB_LOOKUP_NOREF is set on suppress rule”).

The problem with that change is that the generic args->flags always have
FIB_LOOKUP_NOREF set1 but the IPv6-specific flag
RT6_LOOKUP_F_DST_NOREF might not be, leading to fib6_rule_suppress not
decreasing the refcount when needed.

How to reproduce:

  • Add the following nftables rule to a prerouting chain:
    meta nfproto ipv6 fib saddr . mark . iif oif missing drop
    This can be done with:
    sudo nft create table inet test
    sudo nft create chain inet test test_chain ‘{ type filter hook prerouting priority filter + 10; policy accept; }’
    sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop
  • Run:
    sudo ip -6 rule add table main suppress_prefixlength 0
  • Watch sudo slabtop -o | grep ip6_dst_cache to see memory usage increase
    with every incoming ipv6 packet.

This patch exposes the protocol-specific flags to the protocol
specific suppress function, and check the protocol-specific flags
argument for RT6_LOOKUP_F_DST_NOREF instead of the generic
FIB_LOOKUP_NOREF when decreasing the refcount, like this.

Affected configurations

Vulners
NVD
Node
linuxlinux_kernelRange5.45.4.164
OR
linuxlinux_kernelRange5.5.05.10.84
OR
linuxlinux_kernelRange5.11.05.15.7
OR
linuxlinux_kernelRange5.16.0

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "include/net/fib_rules.h",
      "net/core/fib_rules.c",
      "net/ipv4/fib_rules.c",
      "net/ipv6/fib6_rules.c"
    ],
    "versions": [
      {
        "version": "ca7a03c41753",
        "lessThan": "ee38eb8cf9a7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ca7a03c41753",
        "lessThan": "209d35ee34e2",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ca7a03c41753",
        "lessThan": "8ef8a76a340e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ca7a03c41753",
        "lessThan": "cdef485217d3",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "include/net/fib_rules.h",
      "net/core/fib_rules.c",
      "net/ipv4/fib_rules.c",
      "net/ipv6/fib6_rules.c"
    ],
    "versions": [
      {
        "version": "5.4",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.4",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.164",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.84",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.7",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

5.1%