Ubuntu.comUB:CVE-2021-47517CVE-2021-47517
In the Linux kernel, the following vulnerability has been resolved:
ethtool: do not perform operations on net devices being unregistered There
is a short period between a net device starts to be unregistered and when
it is actually gone. In that time frame ethtool operations could still be
performed, which might end up in unwanted or undefined behaviours[1]. Do
not allow ethtool operations after a net device starts its unregistration.
This patch targets the netlink part as the ioctl one isn’t affected: the
reference to the net device is taken and the operation is executed within
an rtnl lock section and the net device won’t be found after unregister.
[1] For example adding Tx queues after unregister ends up in NULL pointer
exceptions and UaFs, such as: BUG: KASAN: use-after-free in
kobject_get+0x14/0x90 Read of size 1 at addr ffff88801961248c by task
ethtool/755 CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34
04/014 Call Trace: dump_stack_lvl+0x57/0x72
print_address_description.constprop.0+0x1f/0x140
kasan_report.cold+0x7f/0x11b kobject_get+0x14/0x90
kobject_add_internal+0x3d1/0x450 kobject_init_and_add+0xba/0xf0
netdev_queue_update_kobjects+0xcf/0x200
netif_set_real_num_tx_queues+0xb4/0x310 veth_set_channels+0x1c3/0x550
ethnl_set_channels+0x524/0x610
References
git.kernel.org/linus/dde91ccfa25fd58f64c397d91b81a4b393100ffa (5.16-rc5)
git.kernel.org/stable/c/7c26da3be1e9843a15b5318f90db8a564479d2ac
git.kernel.org/stable/c/cfd719f04267108f5f5bf802b9d7de69e99a99f9
git.kernel.org/stable/c/dde91ccfa25fd58f64c397d91b81a4b393100ffa
launchpad.net/bugs/cve/CVE-2021-47517
nvd.nist.gov/vuln/detail/CVE-2021-47517
security-tracker.debian.org/tracker/CVE-2021-47517
www.cve.org/CVERecord?id=CVE-2021-47517
Related
