{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47563", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-24T15:11:00.728Z", "datePublished": "2024-05-24T15:12:51.398Z", "dateUpdated": "2025-05-04T07:13:38.447Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:13:38.447Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: avoid bpf_prog refcount underflow\n\nIce driver has the routines for managing XDP resources that are shared\nbetween ndo_bpf op and VSI rebuild flow. The latter takes place for\nexample when user changes queue count on an interface via ethtool's\nset_channels().\n\nThere is an issue around the bpf_prog refcounting when VSI is being\nrebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as\nan argument that is used later on by ice_vsi_assign_bpf_prog(), same\nbpf_prog pointers are swapped with each other. Then it is also\ninterpreted as an 'old_prog' which in turn causes us to call\nbpf_prog_put on it that will decrement its refcount.\n\nBelow splat can be interpreted in a way that due to zero refcount of a\nbpf_prog it is wiped out from the system while kernel still tries to\nrefer to it:\n\n[ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038\n[ 481.077390] #PF: supervisor read access in kernel mode\n[ 481.083335] #PF: error_code(0x0000) - not-present page\n[ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0\n[ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1\n[ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40\n[ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84\n[ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286\n[ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000\n[ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000\n[ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0\n[ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc\n[ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000\n[ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0\n[ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 481.237029] Call Trace:\n[ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0\n[ 481.244602] rtnl_dump_ifinfo+0x525/0x650\n[ 481.249246] ? __alloc_skb+0xa5/0x280\n[ 481.253484] netlink_dump+0x168/0x3c0\n[ 481.257725] netlink_recvmsg+0x21e/0x3e0\n[ 481.262263] ____sys_recvmsg+0x87/0x170\n[ 481.266707] ? __might_fault+0x20/0x30\n[ 481.271046] ? _copy_from_user+0x66/0xa0\n[ 481.275591] ? iovec_from_user+0xf6/0x1c0\n[ 481.280226] ___sys_recvmsg+0x82/0x100\n[ 481.284566] ? sock_sendmsg+0x5e/0x60\n[ 481.288791] ? __sys_sendto+0xee/0x150\n[ 481.293129] __sys_recvmsg+0x56/0xa0\n[ 481.297267] do_syscall_64+0x3b/0xc0\n[ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 481.307238] RIP: 0033:0x7f5466f39617\n[ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n[ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\n[ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617\n[ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003\n[ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50\n[ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360\n[ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98\n[ 481.451520] Modules linked in: ice\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/intel/ice/ice_main.c"], "versions": [{"version": "efc2214b6047b6f5b4ca53151eba62521b9452d6", "lessThan": "e65a8707b4cd756d26d246bb2b9fab06eebafac1", "status": "affected", "versionType": "git"}, {"version": "efc2214b6047b6f5b4ca53151eba62521b9452d6", "lessThan": "1f10b09ccc832698ef4624a6ab9a213b6ccbda76", "status": "affected", "versionType": "git"}, {"version": "efc2214b6047b6f5b4ca53151eba62521b9452d6", "lessThan": "f65ee535df775a13a1046c0a0b2d72db342f8a5b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/intel/ice/ice_main.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.83", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.6", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.15.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e65a8707b4cd756d26d246bb2b9fab06eebafac1"}, {"url": "https://git.kernel.org/stable/c/1f10b09ccc832698ef4624a6ab9a213b6ccbda76"}, {"url": "https://git.kernel.org/stable/c/f65ee535df775a13a1046c0a0b2d72db342f8a5b"}], "title": "ice: avoid bpf_prog refcount underflow", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-29T16:50:07.805074Z", "id": "CVE-2021-47563", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T16:52:12.886Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.865Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e65a8707b4cd756d26d246bb2b9fab06eebafac1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1f10b09ccc832698ef4624a6ab9a213b6ccbda76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f65ee535df775a13a1046c0a0b2d72db342f8a5b", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e65a8707b4cd756d26d246bb2b9fab06eebafac1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1f10b09ccc832698ef4624a6ab9a213b6ccbda76", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f65ee535df775a13a1046c0a0b2d72db342f8a5b", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.865Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-47563", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T16:50:07.805074Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-29T16:03:28.946Z"}}], "cna": {"title": "ice: avoid bpf_prog refcount underflow", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "efc2214b6047", "lessThan": "e65a8707b4cd", "versionType": "git"}, {"status": "affected", "version": "efc2214b6047", "lessThan": "1f10b09ccc83", "versionType": "git"}, {"status": "affected", "version": "efc2214b6047", "lessThan": "f65ee535df77", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/intel/ice/ice_main.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.5"}, {"status": "unaffected", "version": "0", "lessThan": "5.5", "versionType": "semver"}, {"status": "unaffected", "version": "5.10.83", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.6", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/ethernet/intel/ice/ice_main.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e65a8707b4cd756d26d246bb2b9fab06eebafac1"}, {"url": "https://git.kernel.org/stable/c/1f10b09ccc832698ef4624a6ab9a213b6ccbda76"}, {"url": "https://git.kernel.org/stable/c/f65ee535df775a13a1046c0a0b2d72db342f8a5b"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: avoid bpf_prog refcount underflow\n\nIce driver has the routines for managing XDP resources that are shared\nbetween ndo_bpf op and VSI rebuild flow. The latter takes place for\nexample when user changes queue count on an interface via ethtool's\nset_channels().\n\nThere is an issue around the bpf_prog refcounting when VSI is being\nrebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as\nan argument that is used later on by ice_vsi_assign_bpf_prog(), same\nbpf_prog pointers are swapped with each other. Then it is also\ninterpreted as an 'old_prog' which in turn causes us to call\nbpf_prog_put on it that will decrement its refcount.\n\nBelow splat can be interpreted in a way that due to zero refcount of a\nbpf_prog it is wiped out from the system while kernel still tries to\nrefer to it:\n\n[ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038\n[ 481.077390] #PF: supervisor read access in kernel mode\n[ 481.083335] #PF: error_code(0x0000) - not-present page\n[ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0\n[ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1\n[ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40\n[ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84\n[ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286\n[ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000\n[ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000\n[ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0\n[ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc\n[ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000\n[ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0\n[ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 481.237029] Call Trace:\n[ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0\n[ 481.244602] rtnl_dump_ifinfo+0x525/0x650\n[ 481.249246] ? __alloc_skb+0xa5/0x280\n[ 481.253484] netlink_dump+0x168/0x3c0\n[ 481.257725] netlink_recvmsg+0x21e/0x3e0\n[ 481.262263] ____sys_recvmsg+0x87/0x170\n[ 481.266707] ? __might_fault+0x20/0x30\n[ 481.271046] ? _copy_from_user+0x66/0xa0\n[ 481.275591] ? iovec_from_user+0xf6/0x1c0\n[ 481.280226] ___sys_recvmsg+0x82/0x100\n[ 481.284566] ? sock_sendmsg+0x5e/0x60\n[ 481.288791] ? __sys_sendto+0xee/0x150\n[ 481.293129] __sys_recvmsg+0x56/0xa0\n[ 481.297267] do_syscall_64+0x3b/0xc0\n[ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 481.307238] RIP: 0033:0x7f5466f39617\n[ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n[ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\n[ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617\n[ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003\n[ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50\n[ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360\n[ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98\n[ 481.451520] Modules linked in: ice\n---truncated---"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:08:17.960Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47563", "state": "PUBLISHED", "dateUpdated": "2024-11-05T16:52:12.886Z", "dateReserved": "2024-05-24T15:11:00.728Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-24T15:12:51.398Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4843826-EA9A-472B-82EC-B9E4FD4149AD", "versionEndExcluding": "5.10.83", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "990C08FB-0121-4296-896F-556312F8FF3B", "versionEndExcluding": "5.15.6", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*", "matchCriteriaId": "357AA433-37E8-4323-BFB2-3038D6E4B414", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*", "matchCriteriaId": "A73429BA-C2D9-4D0C-A75F-06A1CA8B3983", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: avoid bpf_prog refcount underflow\n\nIce driver has the routines for managing XDP resources that are shared\nbetween ndo_bpf op and VSI rebuild flow. The latter takes place for\nexample when user changes queue count on an interface via ethtool's\nset_channels().\n\nThere is an issue around the bpf_prog refcounting when VSI is being\nrebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as\nan argument that is used later on by ice_vsi_assign_bpf_prog(), same\nbpf_prog pointers are swapped with each other. Then it is also\ninterpreted as an 'old_prog' which in turn causes us to call\nbpf_prog_put on it that will decrement its refcount.\n\nBelow splat can be interpreted in a way that due to zero refcount of a\nbpf_prog it is wiped out from the system while kernel still tries to\nrefer to it:\n\n[ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038\n[ 481.077390] #PF: supervisor read access in kernel mode\n[ 481.083335] #PF: error_code(0x0000) - not-present page\n[ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0\n[ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1\n[ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40\n[ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84\n[ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286\n[ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000\n[ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000\n[ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0\n[ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc\n[ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000\n[ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0\n[ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 481.237029] Call Trace:\n[ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0\n[ 481.244602] rtnl_dump_ifinfo+0x525/0x650\n[ 481.249246] ? __alloc_skb+0xa5/0x280\n[ 481.253484] netlink_dump+0x168/0x3c0\n[ 481.257725] netlink_recvmsg+0x21e/0x3e0\n[ 481.262263] ____sys_recvmsg+0x87/0x170\n[ 481.266707] ? __might_fault+0x20/0x30\n[ 481.271046] ? _copy_from_user+0x66/0xa0\n[ 481.275591] ? iovec_from_user+0xf6/0x1c0\n[ 481.280226] ___sys_recvmsg+0x82/0x100\n[ 481.284566] ? sock_sendmsg+0x5e/0x60\n[ 481.288791] ? __sys_sendto+0xee/0x150\n[ 481.293129] __sys_recvmsg+0x56/0xa0\n[ 481.297267] do_syscall_64+0x3b/0xc0\n[ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 481.307238] RIP: 0033:0x7f5466f39617\n[ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n[ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\n[ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617\n[ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003\n[ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50\n[ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360\n[ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98\n[ 481.451520] Modules linked in: ice\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ice: evitar el subdesbordamiento de refcount de bpf_prog El controlador Ice tiene rutinas para administrar los recursos XDP que se comparten entre la operaci\u00f3n ndo_bpf y el flujo de reconstrucci\u00f3n VSI. Esto \u00faltimo ocurre, por ejemplo, cuando el usuario cambia el recuento de cola en una interfaz a trav\u00e9s de set_channels() de ethtool. Hay un problema relacionado con el recuento de bpf_prog cuando se reconstruye VSI: dado que se llama a ice_prepare_xdp_rings() con vsi-&gt;xdp_prog como argumento que ice_vsi_assign_bpf_prog() usa m\u00e1s adelante, los mismos punteros de bpf_prog se intercambian entre s\u00ed. Luego tambi\u00e9n se interpreta como un 'old_prog' que a su vez hace que llamemos a bpf_prog_put, lo que disminuir\u00e1 su recuento. El siguiente s\u00edmbolo se puede interpretar de una manera que, debido al recuento cero de un bpf_prog, se elimina del sistema mientras el kernel todav\u00eda intenta hacer referencia a \u00e9l: [481.069429] ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: ffffc9000640f038 [481.077390] # PF: acceso de lectura de supervisor en modo kernel [ 481.083335] #PF: error_code(0x0000) - p\u00e1gina no presente [ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0 [ 481.097141] : 0000 [#1] ANTICIPACI\u00d3N SMP PTI [ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1 [ 481.110840] Nombre de hardware: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 19/05/2016 [ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40 [ 481.127265] C\u00f3digo: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 &lt;48&gt; 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84 [ 481.148991] RSP: ffffc90007b638 68 EFLAGS: 00010286 [481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000 [ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000 [ 481.171527] ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0 [ 481.179776] R10: 00000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc [ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000 [ 48 1.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0 [ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 481.228771] DR3: 00000000000000000 DR6: 00000000ffe0ff0 7: 0000000000000400 [481.237029] Seguimiento de llamadas: [481.239856] rtnl_fill_ifinfo+0x768/0x12e0 [481.244602] rtnl_dump_ifinfo+0x525/0x650 [481.249246] ? __alloc_skb+0xa5/0x280 [ 481.253484] netlink_dump+0x168/0x3c0 [ 481.257725] netlink_recvmsg+0x21e/0x3e0 [ 481.262263] ____sys_recvmsg+0x87/0x170 [ 481.2 66707] ? __might_fault+0x20/0x30 [ 481.271046] ? _copia_de_usuario+0x66/0xa0 [481.275591] ? iovec_from_user+0xf6/0x1c0 [ 481.280226] ___sys_recvmsg+0x82/0x100 [ 481.284566] ? sock_sendmsg+0x5e/0x60 [481.288791]? __sys_sendto+0xee/0x150 [ 481.293129] __sys_recvmsg+0x56/0xa0 [ 481.297267] do_syscall_64+0x3b/0xc0 [ 481.301395] Entry_SYSCALL_64_after_hwframe+0x44/0xae [ 481.307238] RIP: 0033:0x7f5466f39617 [ 481.311373] C\u00f3digo: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 &lt;48&gt; 3d 00 f0 ff ff 77 51 c3 48 83 ec 2 8 89 54 24 1c 48 89 74 24 10 [ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 0000000000000002f [ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617 [ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 000000000000003 [ 481.398500] R PA : 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50 [ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: ffedc7f5360 [ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98 [ 481.451520] M\u00f3dulos vinculados en: ice ---truncado---"}], "id": "CVE-2021-47563", "lastModified": "2025-04-01T18:32:52.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-24T15:15:21.033", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f10b09ccc832698ef4624a6ab9a213b6ccbda76"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e65a8707b4cd756d26d246bb2b9fab06eebafac1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f65ee535df775a13a1046c0a0b2d72db342f8a5b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f10b09ccc832698ef4624a6ab9a213b6ccbda76"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e65a8707b4cd756d26d246bb2b9fab06eebafac1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f65ee535df775a13a1046c0a0b2d72db342f8a5b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ice: avoid bpf_prog refcount underflow", "id": "2283386", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2283386"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "(CWE-367|CWE-416)", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nice: avoid bpf_prog refcount underflow\nIce driver has the routines for managing XDP resources that are shared\nbetween ndo_bpf op and VSI rebuild flow. The latter takes place for\nexample when user changes queue count on an interface via ethtool's\nset_channels().\nThere is an issue around the bpf_prog refcounting when VSI is being\nrebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as\nan argument that is used later on by ice_vsi_assign_bpf_prog(), same\nbpf_prog pointers are swapped with each other. Then it is also\ninterpreted as an 'old_prog' which in turn causes us to call\nbpf_prog_put on it that will decrement its refcount.\nBelow splat can be interpreted in a way that due to zero refcount of a\nbpf_prog it is wiped out from the system while kernel still tries to\nrefer to it:\n[ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038\n[ 481.077390] #PF: supervisor read access in kernel mode\n[ 481.083335] #PF: error_code(0x0000) - not-present page\n[ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0\n[ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1\n[ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016\n[ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40\n[ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84\n[ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286\n[ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000\n[ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000\n[ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0\n[ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc\n[ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000\n[ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0\n[ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 481.237029] Call Trace:\n[ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0\n[ 481.244602] rtnl_dump_ifinfo+0x525/0x650\n[ 481.249246] ? __alloc_skb+0xa5/0x280\n[ 481.253484] netlink_dump+0x168/0x3c0\n[ 481.257725] netlink_recvmsg+0x21e/0x3e0\n[ 481.262263] ____sys_recvmsg+0x87/0x170\n[ 481.266707] ? __might_fault+0x20/0x30\n[ 481.271046] ? _copy_from_user+0x66/0xa0\n[ 481.275591] ? iovec_from_user+0xf6/0x1c0\n[ 481.280226] ___sys_recvmsg+0x82/0x100\n[ 481.284566] ? sock_sendmsg+0x5e/0x60\n[ 481.288791] ? __sys_sendto+0xee/0x150\n[ 481.293129] __sys_recvmsg+0x56/0xa0\n[ 481.297267] do_syscall_64+0x3b/0xc0\n[ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 481.307238] RIP: 0033:0x7f5466f39617\n[ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n[ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\n[ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617\n[ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003\n[ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50\n[ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360\n[ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98\n[ 481.451520] Modules linked in: ice\n---truncated---", "A vulnerability was found in the Linux kernel's ice driver, where the add_pble_prm function improperly manages the reference counting of the bpf_prog object. This issue occurs during the VSI rebuild process, causing a reference count underflow when an old program is mistakenly decremented while still in use, which leads to a system crash."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-47563", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47563\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47563\nhttps://lore.kernel.org/linux-cve-announce/2024052452-CVE-2021-47563-008a@gregkh/T"], "threat_severity": "Moderate"}

{}