diff options
Diffstat (limited to 'cve/published/2021/CVE-2021-47174.mbox')
| -rw-r--r-- | cve/published/2021/CVE-2021-47174.mbox | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/cve/published/2021/CVE-2021-47174.mbox b/cve/published/2021/CVE-2021-47174.mbox new file mode 100644 index 00000000..056eed94 --- /dev/null +++ b/cve/published/2021/CVE-2021-47174.mbox @@ -0,0 +1,159 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47174: netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version +Message-Id: <2024032537-CVE-2021-47174-a330@gregkh> +Content-Length: 8157 +Lines: 142 +X-Developer-Signature: v=1; a=openpgp-sha256; l=8300; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ipfEGyZ/3zhMoHxt6H5qmb48Xt41TV5+5cZbPTrgVLU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMDl/9PT703/9+T+Ffl2l1WjuDVIs4q1lQTpMmY0PiM + uspPN86YlkYBJkYZMUUWb5s4zm6v+KQopeh7WmYOaxMIEMYuDgFYCLRcxgWzDO0Wnz+jLSn1e2I + lx/f/Uw8qbdoGsM8RZ3Hwgkbp4b47+WxOOt1qeqaROFLAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version + +Arturo reported this backtrace: + +[709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0 +[709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod +[709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common +[709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1 +[709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020 +[709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0 +[709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb +[709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202 +[709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001 +[709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003 +[709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462 +[709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960 +[709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660 +[709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000 +[709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0 +[709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[709732.359003] PKRU: 55555554 +[709732.359005] Call Trace: +[709732.359009] <IRQ> +[709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables] +[709732.359046] ? sched_clock+0x5/0x10 +[709732.359054] ? sched_clock_cpu+0xc/0xb0 +[709732.359061] ? record_times+0x16/0x80 +[709732.359068] ? plist_add+0xc1/0x100 +[709732.359073] ? psi_group_change+0x47/0x230 +[709732.359079] ? skb_clone+0x4d/0xb0 +[709732.359085] ? enqueue_task_rt+0x22b/0x310 +[709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en] +[709732.359102] ? packet_rcv+0x40/0x4a0 +[709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables] +[709732.359133] nft_do_chain+0x350/0x500 [nf_tables] +[709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables] +[709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables] +[709732.359172] ? fib4_rule_action+0x6d/0x80 +[709732.359178] ? fib_rules_lookup+0x107/0x250 +[709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat] +[709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat] +[709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat] +[709732.359207] nf_hook_slow+0x44/0xc0 +[709732.359214] ip_output+0xd2/0x100 +[709732.359221] ? __ip_finish_output+0x210/0x210 +[709732.359226] ip_forward+0x37d/0x4a0 +[709732.359232] ? ip4_key_hashfn+0xb0/0xb0 +[709732.359238] ip_sublist_rcv_finish+0x4f/0x60 +[709732.359243] ip_sublist_rcv+0x196/0x220 +[709732.359250] ? ip_rcv_finish_core.isra.22+0x400/0x400 +[709732.359255] ip_list_rcv+0x137/0x160 +[709732.359264] __netif_receive_skb_list_core+0x29b/0x2c0 +[709732.359272] netif_receive_skb_list_internal+0x1a6/0x2d0 +[709732.359280] gro_normal_list.part.156+0x19/0x40 +[709732.359286] napi_complete_done+0x67/0x170 +[709732.359298] bnxt_poll+0x105/0x190 [bnxt_en] +[709732.359304] ? irqentry_exit+0x29/0x30 +[709732.359309] ? asm_common_interrupt+0x1e/0x40 +[709732.359315] net_rx_action+0x144/0x3c0 +[709732.359322] __do_softirq+0xd5/0x29c +[709732.359329] asm_call_irq_on_stack+0xf/0x20 +[709732.359332] </IRQ> +[709732.359339] do_softirq_own_stack+0x37/0x40 +[709732.359346] irq_exit_rcu+0x9d/0xa0 +[709732.359353] common_interrupt+0x78/0x130 +[709732.359358] asm_common_interrupt+0x1e/0x40 +[709732.359366] RIP: 0010:crc_41+0x0/0x1e [crc32c_intel] +[709732.359370] Code: ff ff f2 4d 0f 38 f1 93 a8 fe ff ff f2 4c 0f 38 f1 81 b0 fe ff ff f2 4c 0f 38 f1 8a b0 fe ff ff f2 4d 0f 38 f1 93 b0 fe ff ff <f2> 4c 0f 38 f1 81 b8 fe ff ff f2 4c 0f 38 f1 8a b8 fe ff ff f2 4d +[709732.359373] RSP: 0018:ffffbb97008dfcd0 EFLAGS: 00000246 +[709732.359377] RAX: 000000000000002a RBX: 0000000000000400 RCX: ffff922fc591dd50 +[709732.359379] RDX: ffff922fc591dea0 RSI: 0000000000000a14 RDI: ffffffffc00dddc0 +[709732.359382] RBP: 0000000000001000 R08: 000000000342d8c3 R09: 0000000000000000 +[709732.359384] R10: 0000000000000000 R11: ffff922fc591dff0 R12: ffffbb97008dfe58 +[709732.359386] R13: 000000000000000a R14: ffff922fd2b91e80 R15: ffff922fef83fe38 +[709732.359395] ? crc_43+0x1e/0x1e [crc32c_intel] +[709732.359403] ? crc32c_pcl_intel_update+0x97/0xb0 [crc32c_intel] +[709732.359419] ? jbd2_journal_commit_transaction+0xaec/0x1a30 [jbd2] +[709732.359425] ? irq_exit_rcu+0x3e/0xa0 +[709732.359447] ? kjournald2+0xbd/0x270 [jbd2] +[709732.359454] ? finish_wait+0x80/0x80 +[709732.359470] ? commit_timeout+0x10/0x10 [jbd2] +[709732.359476] ? kthread+0x116/0x130 +[709732.359481] ? kthread_park+0x80/0x80 +[709732.359488] ? ret_from_fork+0x1f/0x30 +[709732.359494] ---[ end trace 081a19978e5f09f5 ]--- + +that is, nft_pipapo_avx2_lookup() uses the FPU running from a softirq +that interrupted a kthread, also using the FPU. + +That's exactly the reason why irq_fpu_usable() is there: use it, and +if we can't use the FPU, fall back to the non-AVX2 version of the +lookup operation, i.e. nft_pipapo_lookup(). + +The Linux kernel CVE team has assigned CVE-2021-47174 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.7 with commit 7400b063969b and fixed in 5.10.42 with commit b1f45a26bd32 + Issue introduced in 5.7 with commit 7400b063969b and fixed in 5.12.9 with commit 727a2b4fc951 + Issue introduced in 5.7 with commit 7400b063969b and fixed in 5.13 with commit f0b3d338064e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47174 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nft_set_pipapo.c + net/netfilter/nft_set_pipapo.h + net/netfilter/nft_set_pipapo_avx2.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b1f45a26bd322525c14edd9504f6d46dfad679a4 + https://git.kernel.org/stable/c/727a2b4fc951ee69847d4904d98961856ea9fbe6 + https://git.kernel.org/stable/c/f0b3d338064e1fe7531f0d2977e35f3b334abfb4 |