CVE-2021-47014 - Wild Memory Access in Linux Kernel net/sched act_ct Fragment Handling

In early 2021, a serious vulnerability was discovered in the Linux kernel’s networking subsystem, specifically in the traffic control action connection tracking module (net/sched/act_ct). Known as CVE-2021-47014, this bug could let an attacker trigger wild (out-of-bounds) memory access through crafted IP fragments, potentially causing a kernel crash (DoS) or, under certain conditions, raising the risk for further exploitation.

Let’s break down what happened, how it could be exploited, and how the fix works.

What is act_ct and Where Did the Bug Appear?

Linux networking subsystems are powerful and complex, offering control over packet flows using traffic control (tc) and netfilter modules. The act_ct module lets administrators perform connection tracking as a tc action, useful for sophisticated firewall, NAT, and routing setups.

The problematic code handled IP fragment reassembly in act_ct. When processing fragments, the kernel uses internal structures attached to socket buffers (SKBs). A special section of the SKB called the control buffer (skb->cb) stores per-packet book-keeping information, often reused by various subsystems.

The bug occurred when

- The kernel was testing re-assembly/re-fragmentation with act_ct (using certain tc policies).
- After temporarily storing a fragment, it did not properly restore the skb->cb, meaning sensitive structures like FRAG_CB now contained uninitialized (random) data.
- Later, cleanup code tried to read these bad values, sometimes poisoning the fragment rbtree walk, leading to a crash or wild access.

Real-World Impact

If an attacker could craft fragmented packets and cause these code paths to trigger (for example, via local shell or remote packets routed through a tc/act_ct managed interface), they could destabilize the kernel, trigger a Denial of Service and possibly escalate privileges under certain scenarios.

Here's a minimal reproduction of the crash scenario (from kernel logs)

KASAN: maybe wild-memory-access in range [x0001000000000448-x000100000000044f]
...
RIP: 001:inet_frag_rbtree_purge+x50/xc
...
Call Trace:
  inet_frag_destroy+xa9/x150
  call_timer_fn+x2d/x180
  run_timer_softirq+x4fe/xe70
  __do_softirq+x197/x5a
  irq_exit_rcu+x1de/x200
  sysvec_apic_timer_interrupt+x6b/x80

The Code Vulnerability (Explained Simply)

When a fragment was queued, act_ct would sometimes overwrite the skb->cb — the special little "scratchpad" where networking code keeps temporary info. It did this even if reassembly was still in progress (-EINPROGRESS), so later code (like the fragment rbtree cleanup) would operate on junk data instead of the expected struct pointers and metadata.

Here’s a stripped version to show the error

rc = tcf_ct_handle_fragments(skb, ...);
restore_qdisc_cb(skb);  // BAD: blindly restores, even if rc == -EINPROGRESS

If tcf_ct_handle_fragments() says “Wait, reassembly continuing (-EINPROGRESS)”, we should not restore the SKB cb, but the code did.

The Fix

The patch adds a crucial check: only restore the SKB control buffer (qdisc_cb) if fragment handling completed *successfully*.

Fixed Snippet

rc = tcf_ct_handle_fragments(skb, ...);
if (rc != -EINPROGRESS)
    restore_qdisc_cb(skb); // Only restore when safe!

Bottom line: Never overwrite the SKB cb area unless you're done with the fragments.

Attack Vector

- Remote: If act_ct is used on a public-facing interface, a remote attacker can send specially crafted fragmented IP packets to exploit this. These would trigger the codepath that handles fragment reassembly.
- Local: A local user with raw socket access or tc privileges could flood the act_ct module with malicious fragments.

What Happens

- Crash/DoS: Kernel tries to dereference bad pointers, leading to a panic (as seen from KASAN dumps).
- Wild Memory Access: Unpredictable code execution, possibly reading or writing outside intended kernel memory ranges.

No public exploit code is known, but reproducing the crash is straightforward using tc/netfilter, raw IP packets, and fragment abuse.

Warning: Only do this on a disposable VM!

*Install a kernel with act_ct enabled, set up a tc rule like this:*

tc qdisc add dev eth clsact
tc filter add dev eth ingress \
    protocol ip flower \
    action ct

Then, send crafted fragmented IP packets using scapy or hping3 to the interface. Monitor dmesg for wild memory accesses or kernel panics.

References and Links

- Upstream Kernel Patch (lkml.org)
- CVE Page (Mitre)
- Commit: act_ct: fix wild memory access when clearing fragments
- Netdev mailing list discussion

Conclusion

CVE-2021-47014 is a nasty bug that could let attackers destabilize Linux servers using advanced traffic control rules involving connection tracking and fragmented packets. Fixed in upstream kernel after April 2021 — users should update immediately if they use act_ct or suspect exposure via tc/netfilter on their machines.

Simple rule: Don’t let your kernel walk over uninitialized memory — always restore or rewrite SKB buffers with care, especially in shared and critical networking code!


If you want to dive deeper, read the canonical upstream patch or check the mailing list discussions for more details on real-world implications.

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 01/08/2025 18:08:16 UTC