Lucene search

K
cve416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2021-47555
HistoryMay 24, 2024 - 3:15 p.m.

CVE-2021-47555

2024-05-2415:15:20
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
24
linux kernel
vlan
refcnt underflow vulnerability
netdevice removal
memory leak

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

In the Linux kernel, the following vulnerability has been resolved:

net: vlan: fix underflow for the real_dev refcnt

Inject error before dev_hold(real_dev) in register_vlan_dev(),
and execute the following testcase:

ip link add dev dummy1 type dummy
ip link add name dummy1.100 link dummy1 type vlan id 100
ip link del dev dummy1

When the dummy netdevice is removed, we will get a WARNING as following:

=======================================================================
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0

and an endless loop of:

=======================================================================
unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824

That is because dev_put(real_dev) in vlan_dev_free() be called without
dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev
underflow.

Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of
ndo_init(). That makes dev_hold() and dev_put() for vlan’s real_dev
symmetrical.

Affected configurations

Vulners
Node
linuxlinux_kernelRange5.4.1605.4.163
OR
linuxlinux_kernelRange5.10.805.10.83
OR
linuxlinux_kernelRange5.15.35.15.6

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/8021q/vlan.c",
      "net/8021q/vlan_dev.c"
    ],
    "versions": [
      {
        "version": "700602b662d7",
        "lessThan": "5e44178864b3",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "e04a7a84bb77",
        "lessThan": "6e800ee43218",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "21032425c36f",
        "lessThan": "f7fc72a508cf",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "563bcbae3ba2",
        "lessThan": "01d9cc2dea3f",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/8021q/vlan.c",
      "net/8021q/vlan_dev.c"
    ],
    "versions": [
      {
        "version": "5.4.160",
        "lessThan": "5.4.163",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "5.10.80",
        "lessThan": "5.10.83",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "5.15.3",
        "lessThan": "5.15.6",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%