CVE-2021-47162

Advisory lineage Upstream: 0 Downstream: 10
Analyzed
Published: 25 Mar 2024, 09:16
Last modified:23 May 2026, 15:19

Vulnerability Summary

Overall Risk (default)
low
22/100
CVSS Score
5.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.01% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

25 Mar 2024, 09:16
Published
Vulnerability first disclosed
23 May 2026, 15:19
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: tipc: skb_linearize the head skb when reassembling msgs It's not a good idea to append the frag skb to a skb's frag_list if the frag_list already has skbs from elsewhere, such as this skb was created by pskb_copy() where the frag_list was cloned (all the skbs in it were skb_get'ed) and shared by multiple skbs. However, the new appended frag skb should have been only seen by the current skb. Otherwise, it will cause use after free crashes as this appended frag skb are seen by multiple skbs but it only got skb_get called once. The same thing happens with a skb updated by pskb_may_pull() with a skb_cloned skb. Li Shuang has reported quite a few crashes caused by this when doing testing over macvlan devices: [] kernel BUG at net/core/skbuff.c:1970! [] Call Trace: [] skb_clone+0x4d/0xb0 [] macvlan_broadcast+0xd8/0x160 [macvlan] [] macvlan_process_broadcast+0x148/0x150 [macvlan] [] process_one_work+0x1a7/0x360 [] worker_thread+0x30/0x390 [] kernel BUG at mm/usercopy.c:102! [] Call Trace: [] __check_heap_object+0xd3/0x100 [] __check_object_size+0xff/0x16b [] simple_copy_to_iter+0x1c/0x30 [] __skb_datagram_iter+0x7d/0x310 [] __skb_datagram_iter+0x2a5/0x310 [] skb_copy_datagram_iter+0x3b/0x90 [] tipc_recvmsg+0x14a/0x3a0 [tipc] [] ____sys_recvmsg+0x91/0x150 [] ___sys_recvmsg+0x7b/0xc0 [] kernel BUG at mm/slub.c:305! [] Call Trace: [] <IRQ> [] kmem_cache_free+0x3ff/0x400 [] __netif_receive_skb_core+0x12c/0xc40 [] ? kmem_cache_alloc+0x12e/0x270 [] netif_receive_skb_internal+0x3d/0xb0 [] ? get_rx_page_info+0x8e/0xa0 [be2net] [] be_poll+0x6ef/0xd00 [be2net] [] ? irq_exit+0x4f/0x100 [] net_rx_action+0x149/0x3b0 ... This patch is to fix it by linearizing the head skb if it has frag_list set in tipc_buf_append(). Note that we choose to do this before calling skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can not just drop the frag_list either as the early time.

CVSS Metrics

  • v3.1MEDIUMScore: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.01% Percentile: 3%

Techniques & Countermeasures

  • CWE-416Use After Free

    The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

  • linuxlinux

    ≥ 45c8b7b175ceb2d542e0fe15247377bf3bce29ec, < b2c8d28c34b3070407cb1741f9ba3f15d0284b8b | ≥ 45c8b7b175ceb2d542e0fe15247377bf3bce29ec, < 5489f30bb78ff0dafb4229a69632afc2ba20765c | ≥ 45c8b7b175ceb2d542e0fe15247377bf3bce29ec, < 436d650d374329a591c30339a91fa5078052ed1e | ≥ 45c8b7b175ceb2d542e0fe15247377bf3bce29ec, < 4b1761898861117c97066aea6c58f68a7787f0bf | ≥ 45c8b7b175ceb2d542e0fe15247377bf3bce29ec, < 64d17ec9f1ded042c4b188d15734f33486ed9966 | ≥ 45c8b7b175ceb2d542e0fe15247377bf3bce29ec, < 6da24cfc83ba4f97ea44fc7ae9999a006101755c | ≥ 45c8b7b175ceb2d542e0fe15247377bf3bce29ec, < ace300eecbccaa698e2b472843c74a5f33f7dce8 | ≥ 45c8b7b175ceb2d542e0fe15247377bf3bce29ec, < b7df21cf1b79ab7026f545e7bf837bd5750ac026 | d45ed6c1ff20d3640a31f03816ca2d48fb7d6f22 | c19282fd54a19e4651a4e67836cd842082546677 | ≥ 4.1.14, < 4.2 | ≥ 4.2.7, < 4.3 | 4.3

  • linuxlinux_kernel

    ≥ 4.3, < 4.4.271 | ≥ 4.5, < 4.9.271 | ≥ 4.10, < 4.14.235 | ≥ 4.15, < 4.19.193 | ≥ 4.20, < 5.4.124 | ≥ 5.5, < 5.10.42 | ≥ 5.11, < 5.12.9 | 5.13:rc1 | 5.13:rc2 | 5.13:rc3

References (8)