ghsa-5w2f-hr95-2h6j
Vulnerability from github
Published
2024-05-21 15:31
Modified
2024-12-26 18:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

nexthop: Fix division by zero while replacing a resilient group

The resilient nexthop group torture tests in fib_nexthop.sh exposed a possible division by zero while replacing a resilient group [1]. The division by zero occurs when the data path sees a resilient nexthop group with zero buckets.

The tests replace a resilient nexthop group in a loop while traffic is forwarded through it. The tests do not specify the number of buckets while performing the replacement, resulting in the kernel allocating a stub resilient table (i.e, 'struct nh_res_table') with zero buckets.

This table should never be visible to the data path, but the old nexthop group (i.e., 'oldg') might still be used by the data path when the stub table is assigned to it.

Fix this by only assigning the stub table to the old nexthop group after making sure the group is no longer used by the data path.

Tested with fib_nexthops.sh:

Tests passed: 222 Tests failed: 0

[1] divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:nexthop_select_path+0x2d2/0x1a80 [...] Call Trace: fib_select_multipath+0x79b/0x1530 fib_select_path+0x8fb/0x1c10 ip_route_output_key_hash_rcu+0x1198/0x2da0 ip_route_output_key_hash+0x190/0x340 ip_route_output_flow+0x21/0x120 raw_sendmsg+0x91d/0x2e10 inet_sendmsg+0x9e/0xe0 __sys_sendto+0x23d/0x360 __x64_sys_sendto+0xe1/0x1b0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:22Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Fix division by zero while replacing a resilient group\n\nThe resilient nexthop group torture tests in fib_nexthop.sh exposed a\npossible division by zero while replacing a resilient group [1]. The\ndivision by zero occurs when the data path sees a resilient nexthop\ngroup with zero buckets.\n\nThe tests replace a resilient nexthop group in a loop while traffic is\nforwarded through it. The tests do not specify the number of buckets\nwhile performing the replacement, resulting in the kernel allocating a\nstub resilient table (i.e, \u0027struct nh_res_table\u0027) with zero buckets.\n\nThis table should never be visible to the data path, but the old nexthop\ngroup (i.e., \u0027oldg\u0027) might still be used by the data path when the stub\ntable is assigned to it.\n\nFix this by only assigning the stub table to the old nexthop group after\nmaking sure the group is no longer used by the data path.\n\nTested with fib_nexthops.sh:\n\nTests passed: 222\nTests failed:   0\n\n[1]\n divide error: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014\n RIP: 0010:nexthop_select_path+0x2d2/0x1a80\n[...]\n Call Trace:\n  fib_select_multipath+0x79b/0x1530\n  fib_select_path+0x8fb/0x1c10\n  ip_route_output_key_hash_rcu+0x1198/0x2da0\n  ip_route_output_key_hash+0x190/0x340\n  ip_route_output_flow+0x21/0x120\n  raw_sendmsg+0x91d/0x2e10\n  inet_sendmsg+0x9e/0xe0\n  __sys_sendto+0x23d/0x360\n  __x64_sys_sendto+0xe1/0x1b0\n  do_syscall_64+0x35/0x80\n  entry_SYSCALL_64_after_hwframe+0x44/0xae",
  "id": "GHSA-5w2f-hr95-2h6j",
  "modified": "2024-12-26T18:30:33Z",
  "published": "2024-05-21T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47363"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/563f23b002534176f49524b5ca0e1d94d8906c40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9d32ec26e7f01d1af13bdc687f586362546aa25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.