CVE-2021-46974 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix masking negation logic upon negative dst register The negation logic for the case where the off_reg is sitting in the dst register is not correct given then we cannot just invert the add to a sub or vice versa. As a fix, perform the final bitwise and-op unconditionally into AX from the off_reg, then move the pointer from the src to dst and finally use AX as the source for the original pointer arithmetic operation such that the inversion yields a correct result. The single non-AX mov in between is possible given constant blinding is retaining it as it's not an immediate based operation.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c
https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d
https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba
https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848
https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc
https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66
https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807
https://lore.kernel.org/linux-cve-announce/2024022721-CVE-2021-46974-0852@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2021-46974
https://www.cve.org/CVERecord?id=CVE-2021-46974

History

Mon, 04 Nov 2024 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-02-27T18:47:08.487Z

Updated: 2024-11-04T11:56:57.967Z

Reserved: 2024-02-27T18:42:55.944Z

Link: CVE-2021-46974

Vulnrichment

Updated: 2024-08-04T05:17:43.104Z

NVD

Status : Awaiting Analysis

Published: 2024-02-27T19:04:07.500

Modified: 2024-02-28T14:06:45.783

Link: CVE-2021-46974

Redhat

Severity : Moderate

Publid Date: 2024-02-27T00:00:00Z

Links: CVE-2021-46974 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-46974", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-27T18:42:55.944Z", "datePublished": "2024-02-27T18:47:08.487Z", "dateUpdated": "2024-11-04T11:56:57.967Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T11:56:57.967Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix masking negation logic upon negative dst register\n\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it's not an immediate based operation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "ae03b6b1c880", "lessThan": "4d542ddb88fb", "status": "affected", "versionType": "git"}, {"version": "f92a819b4cbe", "lessThan": "0e2dfdc74a7f", "status": "affected", "versionType": "git"}, {"version": "979d63d50c0c", "lessThan": "53e0db429b37", "status": "affected", "versionType": "git"}, {"version": "979d63d50c0c", "lessThan": "2cfa537674cd", "status": "affected", "versionType": "git"}, {"version": "979d63d50c0c", "lessThan": "6eba92a4d4be", "status": "affected", "versionType": "git"}, {"version": "979d63d50c0c", "lessThan": "7cf64d8679ca", "status": "affected", "versionType": "git"}, {"version": "979d63d50c0c", "lessThan": "b9b34ddbe207", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "5.0", "status": "affected"}, {"version": "0", "lessThan": "5.0", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.233", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.190", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.117", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.35", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.11.19", "lessThanOrEqual": "5.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.2", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba"}, {"url": "https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c"}, {"url": "https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848"}, {"url": "https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d"}, {"url": "https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc"}, {"url": "https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66"}, {"url": "https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807"}], "title": "bpf: Fix masking negation logic upon negative dst register", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-46974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-05T16:32:03.243683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:10.865Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:17:43.104Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:17:43.104Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-46974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-05T16:32:03.243683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:15.410Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "bpf: Fix masking negation logic upon negative dst register", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "ae03b6b1c880", "lessThan": "4d542ddb88fb", "versionType": "git"}, {"status": "affected", "version": "f92a819b4cbe", "lessThan": "0e2dfdc74a7f", "versionType": "git"}, {"status": "affected", "version": "979d63d50c0c", "lessThan": "53e0db429b37", "versionType": "git"}, {"status": "affected", "version": "979d63d50c0c", "lessThan": "2cfa537674cd", "versionType": "git"}, {"status": "affected", "version": "979d63d50c0c", "lessThan": "6eba92a4d4be", "versionType": "git"}, {"status": "affected", "version": "979d63d50c0c", "lessThan": "7cf64d8679ca", "versionType": "git"}, {"status": "affected", "version": "979d63d50c0c", "lessThan": "b9b34ddbe207", "versionType": "git"}], "programFiles": ["kernel/bpf/verifier.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.0"}, {"status": "unaffected", "version": "0", "lessThan": "5.0", "versionType": "semver"}, {"status": "unaffected", "version": "4.14.233", "versionType": "semver", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.190", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.117", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.35", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.11.19", "versionType": "semver", "lessThanOrEqual": "5.11.*"}, {"status": "unaffected", "version": "5.12.2", "versionType": "semver", "lessThanOrEqual": "5.12.*"}, {"status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["kernel/bpf/verifier.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba"}, {"url": "https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c"}, {"url": "https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848"}, {"url": "https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d"}, {"url": "https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc"}, {"url": "https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66"}, {"url": "https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix masking negation logic upon negative dst register\n\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it's not an immediate based operation."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T11:56:57.967Z"}}}, "cveMetadata": {"cveId": "CVE-2021-46974", "state": "PUBLISHED", "dateUpdated": "2024-11-04T11:56:57.967Z", "dateReserved": "2024-02-27T18:42:55.944Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-27T18:47:08.487Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix masking negation logic upon negative dst register\n\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it's not an immediate based operation."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: corrige la l\u00f3gica de negaci\u00f3n de enmascaramiento en el registro dst negativo. La l\u00f3gica de negaci\u00f3n para el caso en el que off_reg se encuentra en el registro dst no es correcta, dado que entonces no podemos simplemente invertir la adici\u00f3n a un sub o viceversa. Como soluci\u00f3n, realice la operaci\u00f3n final bit a bit incondicionalmente en AX desde off_reg, luego mueva el puntero de src a dst y finalmente use AX como fuente para la operaci\u00f3n aritm\u00e9tica del puntero original de modo que la inversi\u00f3n produzca un resultado correcto. El \u00fanico movimiento que no sea AX en el medio es posible dado que el cegamiento constante lo retiene, ya que no es una operaci\u00f3n inmediata."}], "id": "CVE-2021-46974", "lastModified": "2024-02-28T14:06:45.783", "metrics": {}, "published": "2024-02-27T19:04:07.500", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0e2dfdc74a7f4036127356d42ea59388f153f42c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2cfa537674cd1051a3b8111536d77d0558f33d5d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/53e0db429b37a32b8fc706d0d90eb4583ad13848"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6eba92a4d4be8feb4dc33976abac544fa99d6ecc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7cf64d8679ca1cb20cf57d6a88bfee79a0922a66"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b9b34ddbe2076ade359cd5ce7537d5ed019e9807"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: bpf: Fix masking negation logic upon negative dst register", "id": "2266826", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266826"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix masking negation logic upon negative dst register\nThe negation logic for the case where the off_reg is sitting in the\ndst register is not correct given then we cannot just invert the add\nto a sub or vice versa. As a fix, perform the final bitwise and-op\nunconditionally into AX from the off_reg, then move the pointer from\nthe src to dst and finally use AX as the source for the original\npointer arithmetic operation such that the inversion yields a correct\nresult. The single non-AX mov in between is possible given constant\nblinding is retaining it as it's not an immediate based operation."], "name": "CVE-2021-46974", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-46974\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-46974\nhttps://lore.kernel.org/linux-cve-announce/2024022721-CVE-2021-46974-0852@gregkh/T/#u"], "statement": "No Red Hat Products are affected by this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "kernel 4.14.233, kernel 4.19.190, kernel 5.4.117, kernel 5.10.35, kernel 5.11.19, kernel 5.12.2, kernel 5.13"}