中危 net:修复 tw_timer_handler 中的释放后使用 (CVE-2021-46936)

CVE编号

CVE-2021-46936

利用情况

暂无

补丁情况

官方补丁

披露时间

2024-02-27
漏洞描述
In the Linux kernel, the following vulnerability has been resolved:

net: fix use-after-free in tw_timer_handler

A real world panic issue was found as follow in Linux 5.4.

BUG: unable to handle page fault for address: ffffde49a863de28
PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
RIP: 0010:tw_timer_handler+0x20/0x40
Call Trace:
<IRQ>
call_timer_fn+0x2b/0x120
run_timer_softirq+0x1ef/0x450
__do_softirq+0x10d/0x2b8
irq_exit+0xc7/0xd0
smp_apic_timer_interrupt+0x68/0x120
apic_timer_interrupt+0xf/0x20

This issue was also reported since 2017 in the thread [1],
unfortunately, the issue was still can be reproduced after fixing
DCCP.

The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net
namespace is destroyed since tcp_sk_ops is registered befrore
ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops
in the list of pernet_list. There will be a use-after-free on
net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net
if there are some inflight time-wait timers.

This bug is not introduced by commit f2bf415cfed7 ("mib: add net to
NET_ADD_STATS_BH") since the net_statistics is a global variable
instead of dynamic allocation and freeing. Actually, commit
61a7e26028b9 ("mib: put net statistics on struct net") introduces
the bug since it put net statistics on struct net and free it when
net namespace is destroyed.

Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug
and replace pr_crit() with panic() since continuing is meaningless
when init_ipv4_mibs() fails.

[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://git.kernel.org/stable/c/08eacbd141e2495d2fcdde84358a06c4f95cbb13
https://git.kernel.org/stable/c/15579e1301f856ad9385d720c9267c11032a5022
https://git.kernel.org/stable/c/2386e81a1d277f540e1285565c9d41d531bb69d4
https://git.kernel.org/stable/c/5c2fe20ad37ff56070ae0acb34152333976929b4
https://git.kernel.org/stable/c/a8e1944b44f94f5c5f530e434c5eaee787254566
https://git.kernel.org/stable/c/e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0
https://git.kernel.org/stable/c/e73164e89d1be561228a4534e1091369ee4ba41a
https://git.kernel.org/stable/c/fe5838c22b986c1190f1dce9aa09bf6a491c1a69
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
系统 debian_10 linux * Up to
(excluding)
4.19.232-1
运行在以下环境
系统 debian_11 linux * Up to
(excluding)
5.10.92-1
运行在以下环境
系统 debian_12 linux * Up to
(excluding)
5.15.15-1
运行在以下环境
系统 linux linux_kernel * From
(including)
2.6.27 		Up to
(excluding)
4.4.298
运行在以下环境
系统 linux linux_kernel * From
(including)
4.10.0 		Up to
(excluding)
4.14.261
运行在以下环境
系统 linux linux_kernel * From
(including)
4.15.0 		Up to
(excluding)
4.19.224
运行在以下环境
系统 linux linux_kernel * From
(including)
4.20.0 		Up to
(excluding)
5.4.170
运行在以下环境
系统 linux linux_kernel * From
(including)
4.5.0 		Up to
(excluding)
4.9.296
运行在以下环境
系统 linux linux_kernel * From
(including)
5.11.0 		Up to
(excluding)
5.15.13
运行在以下环境
系统 linux linux_kernel * From
(including)
5.5.0 		Up to
(excluding)
5.10.90
阿里云评分
6.5
  • 攻击路径
    本地
  • 攻击复杂度
    复杂
  • 权限要求
    普通权限
  • 影响范围
    越权影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-416 释放后使用
阿里云安全产品覆盖情况