CVE-2021-47555

2024-05-2415:15:20

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

vlan

refcnt underflow vulnerability

netdevice removal

memory leak

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: vlan: fix underflow for the real_dev refcnt

Inject error before dev_hold(real_dev) in register_vlan_dev(),
and execute the following testcase:

ip link add dev dummy1 type dummy
ip link add name dummy1.100 link dummy1 type vlan id 100
ip link del dev dummy1

When the dummy netdevice is removed, we will get a WARNING as following:

=======================================================================
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0

and an endless loop of:

=======================================================================
unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824

That is because dev_put(real_dev) in vlan_dev_free() be called without
dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev
underflow.

Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of
ndo_init(). That makes dev_hold() and dev_put() for vlan’s real_dev
symmetrical.

Affected configurations

Vulners

Node

linuxlinux_kernelRange5.4.160–5.4.163

linuxlinux_kernelRange5.10.80–5.10.83

linuxlinux_kernelRange5.15.3–5.15.6

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/8021q/vlan.c",
      "net/8021q/vlan_dev.c"
    ],
    "versions": [
      {
        "version": "700602b662d7",
        "lessThan": "5e44178864b3",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e04a7a84bb77",
        "lessThan": "6e800ee43218",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "21032425c36f",
        "lessThan": "f7fc72a508cf",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "563bcbae3ba2",
        "lessThan": "01d9cc2dea3f",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/8021q/vlan.c",
      "net/8021q/vlan_dev.c"
    ],
    "versions": [
      {
        "version": "5.4.160",
        "lessThan": "5.4.163",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "5.10.80",
        "lessThan": "5.10.83",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "5.15.3",
        "lessThan": "5.15.6",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]