CVE-2021-47517 ethtool: do not perform operations on net devices being unregistered

2024-05-2415:09:30

Linux

www.cve.org

vulnerability

ethtool

unregistered net devices

linux kernel

netlink part

ioctl

patch

rtnl lock section

null pointer exceptions

use-after-free

kobject_get

cve-2021-47517

6.4 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

ethtool: do not perform operations on net devices being unregistered

There is a short period between a net device starts to be unregistered
and when it is actually gone. In that time frame ethtool operations
could still be performed, which might end up in unwanted or undefined
behaviours[1].

Do not allow ethtool operations after a net device starts its
unregistration. This patch targets the netlink part as the ioctl one
isn’t affected: the reference to the net device is taken and the
operation is executed within an rtnl lock section and the net device
won’t be found after unregister.

[1] For example adding Tx queues after unregister ends up in NULL
pointer exceptions and UaFs, such as:

  BUG: KASAN: use-after-free in kobject_get+0x14/0x90
  Read of size 1 at addr ffff88801961248c by task ethtool/755

  CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014
  Call Trace:
   dump_stack_lvl+0x57/0x72
   print_address_description.constprop.0+0x1f/0x140
   kasan_report.cold+0x7f/0x11b
   kobject_get+0x14/0x90
   kobject_add_internal+0x3d1/0x450
   kobject_init_and_add+0xba/0xf0
   netdev_queue_update_kobjects+0xcf/0x200
   netif_set_real_num_tx_queues+0xb4/0x310
   veth_set_channels+0x1c3/0x550
   ethnl_set_channels+0x524/0x610

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/ethtool/netlink.c"
    ],
    "versions": [
      {
        "version": "041b1c5d4a53",
        "lessThan": "7c26da3be1e9",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "041b1c5d4a53",
        "lessThan": "cfd719f04267",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "041b1c5d4a53",
        "lessThan": "dde91ccfa25f",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/ethtool/netlink.c"
    ],
    "versions": [
      {
        "version": "5.6",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.6",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.87",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.8",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]