A vulnerability in the Linux kernel has been resolved that was impacting the "net/sched: act_ct" mechanism. This issue resulted in wild memory access when clearing re-assembled IP fragments. This post will detail the vulnerability, how it could be exploited, and the steps taken to fix it.
Vulnerability Details
The vulnerability was first observed while testing re-assembly and re-fragmentation using act_ct, causing a crash. This crash was due to the skb qdisc cb being overwritten with random data when act_ct temporarily stored IP fragments. In turn, this led to wild memory access later when purging the rbtree. With this information, Linux kernel developers quickly identified the issue and released a fix to prevent this skb cb overwrite.
Below is a code snippet from the kernel that highlights the specific vulnerable section (in bold)
inet_frag_destroy+xa9/x150
call_timer_fn+x2d/x180
run_timer_softirq+x4fe/xe70
__do_softirq+x197/x5a
irq_exit_rcu+x1de/x200
sysvec_apic_timer_interrupt+x6b/x80
Exploit Details
An attacker exploiting this vulnerability would need to manipulate IP fragments in such a way that it would trigger the wild memory access issue. This could potentially compromise the system's integrity, leading to a crash or potentially even code execution, depending on the surrounding kernel code.
Fix Implementation
To resolve this issue, kernel developers implemented a change to ensure the skb cb is never overwritten in case tcf_ct_handle_fragments() returns -EINPROGRESS. Now, with this patch in place, wild memory access no longer occurs when purging the rbtree.
Links to Original References
- Linux Git Commit
- Linux Kernel Mailing List
- KASAN Crash Log
Conclusion
CVE-2021-47014, a wild memory access vulnerability in the Linux kernel's "net/sched: act_ct" mechanism, has now been resolved. With the implemented fix, Linux kernel users can be assured that their system will no longer experience crashes or potential code execution attacks due to this specific vulnerability. It is highly recommended that users upgrade to a patched version of the kernel to protect against this security flaw.
Timeline
Published on: 02/28/2024 09:15:38 UTC
Last modified on: 05/29/2024 05:00:32 UTC