CVE-2021-47304 (GCVE-0-2021-47304)

Vulnerability from cvelistv5 – Published: 2024-05-21 14:35 – Updated: 2025-05-04 07:08
VLAI?
Title
tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
Summary
In the Linux kernel, the following vulnerability has been resolved: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized This commit fixes a bug (found by syzkaller) that could cause spurious double-initializations for congestion control modules, which could cause memory leaks or other problems for congestion control modules (like CDG) that allocate memory in their init functions. The buggy scenario constructed by syzkaller was something like: (1) create a TCP socket (2) initiate a TFO connect via sendto() (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION), which calls: tcp_set_congestion_control() -> tcp_reinit_congestion_control() -> tcp_init_congestion_control() (4) receive ACK, connection is established, call tcp_init_transfer(), set icsk_ca_initialized=0 (without first calling cc->release()), call tcp_init_congestion_control() again. Note that in this sequence tcp_init_congestion_control() is called twice without a cc->release() call in between. Thus, for CC modules that allocate memory in their init() function, e.g, CDG, a memory leak may occur. The syzkaller tool managed to find a reproducer that triggered such a leak in CDG. The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(), missing the possibility for a sequence like the one above, where a process could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()), which would call tcp_init_congestion_control(). It did not intend to reset any initialization that the user had already explicitly made; it just missed the possibility of that particular sequence (which syzkaller managed to find).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 , < ad4ba3404931745a5977ad12db4f0c34080e52f7 (git)
Affected: 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 , < fe77b85828ca9ddc42977b79de9e40d18545b4fe (git)
Affected: 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 , < be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc (git)
Create a notification for this product.
    Linux Linux Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.53 , ≤ 5.10.* (semver)
Unaffected: 5.13.5 , ≤ 5.13.* (semver)
Unaffected: 5.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47304",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-21T15:35:43.044493Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:14:55.263Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:08.445Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ad4ba3404931745a5977ad12db4f0c34080e52f7",
              "status": "affected",
              "version": "8919a9b31eb4fb4c0a93e5fb350a626924302aa6",
              "versionType": "git"
            },
            {
              "lessThan": "fe77b85828ca9ddc42977b79de9e40d18545b4fe",
              "status": "affected",
              "version": "8919a9b31eb4fb4c0a93e5fb350a626924302aa6",
              "versionType": "git"
            },
            {
              "lessThan": "be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc",
              "status": "affected",
              "version": "8919a9b31eb4fb4c0a93e5fb350a626924302aa6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/tcp_input.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.53",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.13.*",
              "status": "unaffected",
              "version": "5.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.53",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13.5",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.14",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\n\nThis commit fixes a bug (found by syzkaller) that could cause spurious\ndouble-initializations for congestion control modules, which could cause\nmemory leaks or other problems for congestion control modules (like CDG)\nthat allocate memory in their init functions.\n\nThe buggy scenario constructed by syzkaller was something like:\n\n(1) create a TCP socket\n(2) initiate a TFO connect via sendto()\n(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),\n    which calls:\n       tcp_set_congestion_control() -\u003e\n         tcp_reinit_congestion_control() -\u003e\n           tcp_init_congestion_control()\n(4) receive ACK, connection is established, call tcp_init_transfer(),\n    set icsk_ca_initialized=0 (without first calling cc-\u003erelease()),\n    call tcp_init_congestion_control() again.\n\nNote that in this sequence tcp_init_congestion_control() is called\ntwice without a cc-\u003erelease() call in between. Thus, for CC modules\nthat allocate memory in their init() function, e.g, CDG, a memory leak\nmay occur. The syzkaller tool managed to find a reproducer that\ntriggered such a leak in CDG.\n\nThe bug was introduced when that commit 8919a9b31eb4 (\"tcp: Only init\ncongestion control if not initialized already\")\nintroduced icsk_ca_initialized and set icsk_ca_initialized to 0 in\ntcp_init_transfer(), missing the possibility for a sequence like the\none above, where a process could call setsockopt(TCP_CONGESTION) in\nstate TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),\nwhich would call tcp_init_congestion_control(). It did not intend to\nreset any initialization that the user had already explicitly made;\nit just missed the possibility of that particular sequence (which\nsyzkaller managed to find)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:08:19.725Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc"
        }
      ],
      "title": "tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47304",
    "datePublished": "2024-05-21T14:35:24.670Z",
    "dateReserved": "2024-05-21T13:27:52.133Z",
    "dateUpdated": "2025-05-04T07:08:19.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:32:08.445Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47304\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-21T15:35:43.044493Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:25.182Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"8919a9b31eb4fb4c0a93e5fb350a626924302aa6\", \"lessThan\": \"ad4ba3404931745a5977ad12db4f0c34080e52f7\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8919a9b31eb4fb4c0a93e5fb350a626924302aa6\", \"lessThan\": \"fe77b85828ca9ddc42977b79de9e40d18545b4fe\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8919a9b31eb4fb4c0a93e5fb350a626924302aa6\", \"lessThan\": \"be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc\", \"versionType\": \"git\"}], \"programFiles\": [\"net/ipv4/tcp_input.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.10\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.10\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.10.53\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.13.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.13.*\"}, {\"status\": \"unaffected\", \"version\": \"5.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/ipv4/tcp_input.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7\"}, {\"url\": \"https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe\"}, {\"url\": \"https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\\n\\nThis commit fixes a bug (found by syzkaller) that could cause spurious\\ndouble-initializations for congestion control modules, which could cause\\nmemory leaks or other problems for congestion control modules (like CDG)\\nthat allocate memory in their init functions.\\n\\nThe buggy scenario constructed by syzkaller was something like:\\n\\n(1) create a TCP socket\\n(2) initiate a TFO connect via sendto()\\n(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),\\n    which calls:\\n       tcp_set_congestion_control() -\u003e\\n         tcp_reinit_congestion_control() -\u003e\\n           tcp_init_congestion_control()\\n(4) receive ACK, connection is established, call tcp_init_transfer(),\\n    set icsk_ca_initialized=0 (without first calling cc-\u003erelease()),\\n    call tcp_init_congestion_control() again.\\n\\nNote that in this sequence tcp_init_congestion_control() is called\\ntwice without a cc-\u003erelease() call in between. Thus, for CC modules\\nthat allocate memory in their init() function, e.g, CDG, a memory leak\\nmay occur. The syzkaller tool managed to find a reproducer that\\ntriggered such a leak in CDG.\\n\\nThe bug was introduced when that commit 8919a9b31eb4 (\\\"tcp: Only init\\ncongestion control if not initialized already\\\")\\nintroduced icsk_ca_initialized and set icsk_ca_initialized to 0 in\\ntcp_init_transfer(), missing the possibility for a sequence like the\\none above, where a process could call setsockopt(TCP_CONGESTION) in\\nstate TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),\\nwhich would call tcp_init_congestion_control(). It did not intend to\\nreset any initialization that the user had already explicitly made;\\nit just missed the possibility of that particular sequence (which\\nsyzkaller managed to find).\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.53\", \"versionStartIncluding\": \"5.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.13.5\", \"versionStartIncluding\": \"5.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.14\", \"versionStartIncluding\": \"5.10\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T07:08:19.725Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47304\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T07:08:19.725Z\", \"dateReserved\": \"2024-05-21T13:27:52.133Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-21T14:35:24.670Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.