CVE-2021-47394 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unlink table before deleting it syzbot reports following UAF: BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955 nla_strcmp+0xf2/0x130 lib/nlattr.c:836 nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570 nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline] nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064 nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 Problem is that all get operations are lockless, so the commit_mutex held by nft_rcv_nl_event() isn't enough to stop a parallel GET request from doing read-accesses to the table object even after synchronize_rcu(). To avoid this, unlink the table first and store the table objects in on-stack scratch space.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/a499b03bf36b0c2e3b958a381d828678ab0ffc5e
https://git.kernel.org/stable/c/f65c73d3aabb87d4353e0bc4a718b5ae8c43fd04
https://lore.kernel.org/linux-cve-announce/2024052147-CVE-2021-47394-9ec5@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2021-47394
https://www.cve.org/CVERecord?id=CVE-2021-47394

History

Mon, 04 Nov 2024 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-21T15:03:51.503Z

Updated: 2024-11-04T12:05:04.812Z

Reserved: 2024-05-21T14:58:30.814Z

Link: CVE-2021-47394

Vulnrichment

Updated: 2024-08-04T05:39:59.375Z

NVD

Status : Awaiting Analysis

Published: 2024-05-21T15:15:24.710

Modified: 2024-05-21T16:54:26.047

Link: CVE-2021-47394

Redhat

Severity : Moderate

Publid Date: 2024-05-21T00:00:00Z

Links: CVE-2021-47394 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47394", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T14:58:30.814Z", "datePublished": "2024-05-21T15:03:51.503Z", "dateUpdated": "2024-11-04T12:05:04.812Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:05:04.812Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unlink table before deleting it\n\nsyzbot reports following UAF:\nBUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955\n nla_strcmp+0xf2/0x130 lib/nlattr.c:836\n nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570\n nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline]\n nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064\n nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504\n\nProblem is that all get operations are lockless, so the commit_mutex\nheld by nft_rcv_nl_event() isn't enough to stop a parallel GET request\nfrom doing read-accesses to the table object even after synchronize_rcu().\n\nTo avoid this, unlink the table first and store the table objects in\non-stack scratch space."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "6001a930ce03", "lessThan": "f65c73d3aabb", "status": "affected", "versionType": "git"}, {"version": "6001a930ce03", "lessThan": "a499b03bf36b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.14.10", "lessThanOrEqual": "5.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/f65c73d3aabb87d4353e0bc4a718b5ae8c43fd04"}, {"url": "https://git.kernel.org/stable/c/a499b03bf36b0c2e3b958a381d828678ab0ffc5e"}], "title": "netfilter: nf_tables: unlink table before deleting it", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47394", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-28T18:27:57.258962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:40.569Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.375Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f65c73d3aabb87d4353e0bc4a718b5ae8c43fd04", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a499b03bf36b0c2e3b958a381d828678ab0ffc5e", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f65c73d3aabb87d4353e0bc4a718b5ae8c43fd04", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a499b03bf36b0c2e3b958a381d828678ab0ffc5e", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.375Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47394", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-28T18:27:57.258962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-28T18:28:02.403Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "netfilter: nf_tables: unlink table before deleting it", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6001a930ce03", "lessThan": "f65c73d3aabb", "versionType": "git"}, {"status": "affected", "version": "6001a930ce03", "lessThan": "a499b03bf36b", "versionType": "git"}], "programFiles": ["net/netfilter/nf_tables_api.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.12"}, {"status": "unaffected", "version": "0", "lessThan": "5.12", "versionType": "semver"}, {"status": "unaffected", "version": "5.14.10", "versionType": "semver", "lessThanOrEqual": "5.14.*"}, {"status": "unaffected", "version": "5.15", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/netfilter/nf_tables_api.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/f65c73d3aabb87d4353e0bc4a718b5ae8c43fd04"}, {"url": "https://git.kernel.org/stable/c/a499b03bf36b0c2e3b958a381d828678ab0ffc5e"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unlink table before deleting it\n\nsyzbot reports following UAF:\nBUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955\n nla_strcmp+0xf2/0x130 lib/nlattr.c:836\n nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570\n nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline]\n nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064\n nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504\n\nProblem is that all get operations are lockless, so the commit_mutex\nheld by nft_rcv_nl_event() isn't enough to stop a parallel GET request\nfrom doing read-accesses to the table object even after synchronize_rcu().\n\nTo avoid this, unlink the table first and store the table objects in\non-stack scratch space."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:05:04.812Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47394", "state": "PUBLISHED", "dateUpdated": "2024-11-04T12:05:04.812Z", "dateReserved": "2024-05-21T14:58:30.814Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T15:03:51.503Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unlink table before deleting it\n\nsyzbot reports following UAF:\nBUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955\n nla_strcmp+0xf2/0x130 lib/nlattr.c:836\n nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570\n nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline]\n nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064\n nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285\n netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504\n\nProblem is that all get operations are lockless, so the commit_mutex\nheld by nft_rcv_nl_event() isn't enough to stop a parallel GET request\nfrom doing read-accesses to the table object even after synchronize_rcu().\n\nTo avoid this, unlink the table first and store the table objects in\non-stack scratch space."}, {"lang": "es", "value": " En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: desvincular la tabla antes de eliminarla syzbot informa de lo sigueinte. UAF: BUG: KASAN: use-after-free en memcmp+0x18f/0x1c0 lib/string.c:955 nla_strcmp+ 0xf2/0x130 lib/nlattr.c:836 nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570 nft_table_lookup net/netfilter/nf_tables_api.c:4064 [en l\u00ednea] nf_tables_getset+0x1b3/0x860 net /filtro de red/ nf_tables_api.c:4064 nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 El problema es que todas las operaciones de obtenci\u00f3n no tienen bloqueo, por lo que el commit_mutex mantenido por () no es suficiente para evitar que una solicitud GET paralela realice accesos de lectura al objeto de la tabla incluso despu\u00e9s de sincronizar_rcu(). Para evitar esto, primero desvincule la tabla y almacene los objetos de la tabla en el espacio temporal de la pila."}], "id": "CVE-2021-47394", "lastModified": "2024-05-21T16:54:26.047", "metrics": {}, "published": "2024-05-21T15:15:24.710", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a499b03bf36b0c2e3b958a381d828678ab0ffc5e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f65c73d3aabb87d4353e0bc4a718b5ae8c43fd04"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: nf_tables: unlink table before deleting it", "id": "2282344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282344"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nf_tables: unlink table before deleting it\nsyzbot reports following UAF:\nBUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955\nnla_strcmp+0xf2/0x130 lib/nlattr.c:836\nnft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570\nnft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline]\nnf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064\nnfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285\nnetlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504\nProblem is that all get operations are lockless, so the commit_mutex\nheld by nft_rcv_nl_event() isn't enough to stop a parallel GET request\nfrom doing read-accesses to the table object even after synchronize_rcu().\nTo avoid this, unlink the table first and store the table objects in\non-stack scratch space."], "name": "CVE-2021-47394", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47394\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47394\nhttps://lore.kernel.org/linux-cve-announce/2024052147-CVE-2021-47394-9ec5@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.14.10, kernel 5.15"}