UBUNTU-CVE-2021-47515
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: seg6: fix the iif in the IPv6 socket control block When an IPv4 packet is received, the ip_rcv_core(...) sets the receiving interface index into the IPv4 socket control block (v5.16-rc4, net/ipv4/ip_input.c line 510): IPCB(skb)->iif = skb->skb_iif; If that IPv4 packet is meant to be encapsulated in an outer IPv6+SRH header, the seg6_do_srh_encap(...) performs the required encapsulation. In this case, the seg6_do_srh_encap function clears the IPv6 socket control block (v5.16-rc4 net/ipv6/seg6_iptunnel.c line 163): memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); The memset(...) was introduced in commit ef489749aae5 ("ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation") a long time ago (2019-01-29). Since the IPv6 socket control block and the IPv4 socket control block share the same memory area (skb->cb), the receiving interface index info is lost (IP6CB(skb)->iif is set to zero). As a side effect, that condition triggers a NULL pointer dereference if commit 0857d6f8c759 ("ipv6: When forwarding count rx stats on the orig netdev") is applied. To fix that issue, we set the IP6CB(skb)->iif with the index of the receiving interface once again.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Systems
- ubuntu•linux
< 4.15.0-169.177 | < 5.4.0-100.113
- ubuntu•linux-allwinner-5.19
all
- ubuntu•linux-aws
< 4.15.0-1121.129 | < 5.4.0-1066.69
- ubuntu•linux-aws-5.0
all
- ubuntu•linux-aws-5.11
all
- ubuntu•linux-aws-5.13
all
- ubuntu•linux-aws-5.19
all
- ubuntu•linux-aws-5.3
all
- ubuntu•linux-aws-5.4
< 5.4.0-1066.69~18.04.1
- ubuntu•linux-aws-5.8
all
- ubuntu•linux-aws-6.2
all
- ubuntu•linux-aws-fips
< 4.15.0-2061.63 | < 5.4.0-1069.73+fips2 | all
- ubuntu•linux-aws-hwe
< 4.15.0-1120.128~16.04.1
- ubuntu•linux-azure
< 4.15.0-1131.144~14.04.1 | < 4.15.0-1131.144~16.04.1 | all | < 5.4.0-1070.73
- ubuntu•linux-azure-4.15
< 4.15.0-1131.144
- ubuntu•linux-azure-5.11
all
- ubuntu•linux-azure-5.13
all
- ubuntu•linux-azure-5.19
all
- ubuntu•linux-azure-5.3
all
- ubuntu•linux-azure-5.4
< 5.4.0-1070.73~18.04.1
- ubuntu•linux-azure-5.8
all
- ubuntu•linux-azure-6.2
all
- ubuntu•linux-azure-edge
all
- ubuntu•linux-azure-fde
all
- ubuntu•linux-azure-fde-5.19
all
- ubuntu•linux-azure-fde-6.2
all
- ubuntu•linux-azure-fips
< 4.15.0-2043.47 | < 5.4.0-1073.76+fips1 | all
- ubuntu•linux-bluefield
< 5.4.0-1028.31 | all
- ubuntu•linux-fips
< 4.15.0-1078.87 | all | < 5.4.0-1043.49
- ubuntu•linux-gcp
< 4.15.0-1116.130~16.04.1 | all | < 5.4.0-1065.69
- ubuntu•linux-gcp-4.15
< 4.15.0-1116.130
- ubuntu•linux-gcp-5.11
all
- ubuntu•linux-gcp-5.13
all
- ubuntu•linux-gcp-5.19
all
- ubuntu•linux-gcp-5.3
all
- ubuntu•linux-gcp-5.4
< 5.4.0-1065.69~18.04.1
- ubuntu•linux-gcp-5.8
all
- ubuntu•linux-gcp-6.2
all
- ubuntu•linux-gcp-fips
< 4.15.0-2026.28 | < 5.4.0-1067.71~20.04.1 | all
- ubuntu•linux-gke
all
- ubuntu•linux-gke-4.15
all
- ubuntu•linux-gke-5.15
all
- ubuntu•linux-gke-5.4
all
- ubuntu•linux-gkeop
< 5.4.0-1034.35
- ubuntu•linux-gkeop-5.4
all
- ubuntu•linux-hwe
< 4.15.0-169.177~16.04.1 | all
- ubuntu•linux-hwe-5.11
all
- ubuntu•linux-hwe-5.13
all
- ubuntu•linux-hwe-5.19
all
- ubuntu•linux-hwe-5.4
< 5.4.0-100.113~18.04.1
Showing first 50 affected entries in server-rendered view.
References (9)
- https://ubuntu.com/security/CVE-2021-47515
- https://www.cve.org/CVERecord?id=CVE-2021-47515
- https://git.kernel.org/linus/ae68d93354e5bf5191ee673982251864ea24dd5c
- https://git.kernel.org/stable/c/6431e71093f3da586a00c6d931481ffb0dc2db0e
- https://git.kernel.org/stable/c/666521b3852d2b2f52d570f9122b1e4b50d96831
- https://git.kernel.org/stable/c/98adb2bbfa407c9290bda299d4c6f7a1c4ebd5e1
- https://git.kernel.org/stable/c/ae68d93354e5bf5191ee673982251864ea24dd5c
- https://git.kernel.org/stable/c/b16d412e5f79734033df04e97d7ea2f50a8e9fe3
- https://git.kernel.org/stable/c/ef8804e47c0a44ae106ead1740408af5ea6c6ee9