Lucene search

K
cvelistLinuxCVELIST:CVE-2021-47515
HistoryMay 24, 2024 - 3:09 p.m.

CVE-2021-47515 seg6: fix the iif in the IPv6 socket control block

2024-05-2415:09:29
Linux
www.cve.org
linux kernel
vulnerability
seg6
ipv6
ipv4
socket control block
pointer dereference
iif

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.3%

In the Linux kernel, the following vulnerability has been resolved:

seg6: fix the iif in the IPv6 socket control block

When an IPv4 packet is received, the ip_rcv_core(…) sets the receiving
interface index into the IPv4 socket control block (v5.16-rc4,
net/ipv4/ip_input.c line 510):

IPCB(skb)->iif = skb->skb_iif;

If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH
header, the seg6_do_srh_encap(…) performs the required encapsulation.
In this case, the seg6_do_srh_encap function clears the IPv6 socket control
block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163):

memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));

The memset(…) was introduced in commit ef489749aae5 (“ipv6: sr: clear
IP6CB(skb) on SRH ip4ip6 encapsulation”) a long time ago (2019-01-29).

Since the IPv6 socket control block and the IPv4 socket control block share
the same memory area (skb->cb), the receiving interface index info is lost
(IP6CB(skb)->iif is set to zero).

As a side effect, that condition triggers a NULL pointer dereference if
commit 0857d6f8c759 (“ipv6: When forwarding count rx stats on the orig
netdev”) is applied.

To fix that issue, we set the IP6CB(skb)->iif with the index of the
receiving interface once again.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/ipv6/seg6_iptunnel.c"
    ],
    "versions": [
      {
        "version": "c630ec8bdada",
        "lessThan": "b16d412e5f79",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "2f704348c93f",
        "lessThan": "6431e71093f3",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ef489749aae5",
        "lessThan": "ef8804e47c0a",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ef489749aae5",
        "lessThan": "666521b3852d",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ef489749aae5",
        "lessThan": "98adb2bbfa40",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "ef489749aae5",
        "lessThan": "ae68d93354e5",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/ipv6/seg6_iptunnel.c"
    ],
    "versions": [
      {
        "version": "5.0",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.0",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.14.258",
        "lessThanOrEqual": "4.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.221",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.165",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.85",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.8",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.3%

Related for CVELIST:CVE-2021-47515