net/sched: act_ct: fix wild memory access when clearing fragments
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: fix wild memory access when clearing fragments
while testing re-assembly/re-fragmentation using act_ct, it's possible to observe a crash like the following one:
KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f] CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424 Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0 Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48 RSP: 0018:ffff888c31449db8 EFLAGS: 00010203 RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960 RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350 R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000 R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160 FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:
inet_frag_destroy+0xa9/0x150 call_timer_fn+0x2d/0x180 run_timer_softirq+0x4fe/0xe70 __do_softirq+0x197/0x5a0 irq_exit_rcu+0x1de/0x200 sysvec_apic_timer_interrupt+0x6b/0x80
when act_ct temporarily stores an IP fragment, restoring the skb qdisc cb results in putting random data in FRAG_CB(), and this causes those "wild" memory accesses later, when the rbtree is purged. Never overwrite the skb cb in case tcf_ct_handle_fragments() returns -EINPROGRESS.
Affected products
44- osv-coords43 versionspkg:rpm/suse/kernel-64kb&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kernel-default&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP3pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kernel-docs&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kernel-livepatch-SLE15-SP3_Update_43&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP3pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kernel-preempt&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kernel-preempt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kernel-preempt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kernel-preempt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/kernel-source&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/kernel-syms&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS
< 5.3.18-150300.59.158.1+ 42 more
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1.150300.18.92.5
- (no CPE)range: < 5.3.18-150300.59.158.1.150300.18.92.5
- (no CPE)range: < 5.3.18-150300.59.158.1.150300.18.92.5
- (no CPE)range: < 5.3.18-150300.59.158.1.150300.18.92.5
- (no CPE)range: < 5.3.18-150300.59.158.1.150300.18.92.5
- (no CPE)range: < 5.3.18-150300.59.158.1.150300.18.92.5
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 1-150300.7.3.5
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.166.1
- (no CPE)range: < 5.3.18-150300.166.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.166.1
- (no CPE)range: < 5.3.18-150300.166.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
- (no CPE)range: < 5.3.18-150300.59.158.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.