CVE-2021-47010 net: Only allow init netns to set default tcp cong to a restricted algo

2024-02-2808:13:29

Linux

github.com

linux kernel

netns

tcp congestion control

AI Score

6.6

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: Only allow init netns to set default tcp cong to a restricted algo

tcp_set_default_congestion_control() is netns-safe in that it writes
to &net->ipv4.tcp_congestion_control, but it also sets
ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced.
This has the unintended side-effect of changing the global
net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it
is read-only: 97684f0970f6 (“net: Make tcp_allowed_congestion_control
readonly in non-init netns”)

Resolve this netns “leak” by only allowing the init netns to set the
default algorithm to one that is restricted. This restriction could be
removed if tcp_allowed_congestion_control were namespace-ified in the
future.

This bug was uncovered with
https://github.com/JonathonReinhart/linux-netns-sysctl-verify

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
    ],
    "vendor": "linux",
    "product": "linux_kernel",
    "versions": [
      {
        "status": "affected",
        "version": "6670e1524477",
        "lessThan": "992de06308d9",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6670e1524477",
        "lessThan": "9884f745108f",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6670e1524477",
        "lessThan": "6c1ea8bee75d",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6670e1524477",
        "lessThan": "efe1532a6e1a",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6670e1524477",
        "lessThan": "e7d7bedd507b",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6670e1524477",
        "lessThan": "8d432592f30f",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "4.15"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "4.15",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "4.19.191",
        "versionType": "custom",
        "lessThanOrEqual": "4.20"
      },
      {
        "status": "unaffected",
        "version": "5.4.119",
        "versionType": "custom",
        "lessThanOrEqual": "5.5"
      },
      {
        "status": "unaffected",
        "version": "5.10.37",
        "versionType": "custom",
        "lessThanOrEqual": "5.11"
      },
      {
        "status": "unaffected",
        "version": "5.11.21",
        "versionType": "custom",
        "lessThanOrEqual": "5.12"
      },
      {
        "status": "unaffected",
        "version": "5.12.4",
        "versionType": "custom",
        "lessThanOrEqual": "5.13"
      },
      {
        "status": "unaffected",
        "version": "5.13",
        "versionType": "custom",
        "lessThanOrEqual": "*"
      }
    ],
    "defaultStatus": "unknown"
  }
]