CVE-2021-47592 (GCVE-0-2021-47592)

Vulnerability from cvelistv5 – Published: 2024-06-19 14:53 – Updated: 2025-05-04 07:14
VLAI?
Title
net: stmmac: fix tc flower deletion for VLAN priority Rx steering
Summary
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix tc flower deletion for VLAN priority Rx steering To replicate the issue:- 1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlan_prio 0 hw_tc 0 2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress 3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151 From dmesg, we will observe kernel NULL pointer ooops [ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI <snip> [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac] <snip> [ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac] [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac] [ 197.171367] tc_setup_cb_destroy+0xb3/0x180 [ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] The above issue is due to previous incorrect implementation of tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule() to get struct flow_rule *rule which is no longer valid for tc filter delete operation. struct flow_rule *rule = flow_cls_offload_flow_rule(cls); struct flow_dissector *dissector = rule->match.dissector; So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(), this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based. v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue.
Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0e039f5cf86ce2fcb62077a163e7ff3d7b7b7cf3 , < 97cb5c82aa1dd85a39b1bd021c8b5f18af623779 (git)
Affected: 0e039f5cf86ce2fcb62077a163e7ff3d7b7b7cf3 , < aeb7c75cb77478fdbf821628e9c95c4baa9adc63 (git)
Create a notification for this product.
    Linux Linux Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.11 , ≤ 5.15.* (semver)
Unaffected: 5.16 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-47592",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-20T15:19:38.436561Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-06T15:17:09.361Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:47:39.480Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac.h",
            "drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "97cb5c82aa1dd85a39b1bd021c8b5f18af623779",
              "status": "affected",
              "version": "0e039f5cf86ce2fcb62077a163e7ff3d7b7b7cf3",
              "versionType": "git"
            },
            {
              "lessThan": "aeb7c75cb77478fdbf821628e9c95c4baa9adc63",
              "status": "affected",
              "version": "0e039f5cf86ce2fcb62077a163e7ff3d7b7b7cf3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac.h",
            "drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.11",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix tc flower deletion for VLAN priority Rx steering\n\nTo replicate the issue:-\n\n1) Add 1 flower filter for VLAN Priority based frame steering:-\n$ IFDEVNAME=eth0\n$ tc qdisc add dev $IFDEVNAME ingress\n$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \\\n   map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \\\n   queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \\\n   flower vlan_prio 0 hw_tc 0\n\n2) Get the \u0027pref\u0027 id\n$ tc filter show dev $IFDEVNAME ingress\n\n3) Delete a specific tc flower record (say pref 49151)\n$ tc filter del dev $IFDEVNAME parent ffff: pref 49151\n\nFrom dmesg, we will observe kernel NULL pointer ooops\n\n[  197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[  197.171367] #PF: supervisor read access in kernel mode\n[  197.171367] #PF: error_code(0x0000) - not-present page\n[  197.171367] PGD 0 P4D 0\n[  197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI\n\n\u003csnip\u003e\n\n[  197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]\n\n\u003csnip\u003e\n\n[  197.171367] Call Trace:\n[  197.171367]  \u003cTASK\u003e\n[  197.171367]  ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]\n[  197.171367]  stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]\n[  197.171367]  tc_setup_cb_destroy+0xb3/0x180\n[  197.171367]  fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\n\nThe above issue is due to previous incorrect implementation of\ntc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()\nto get struct flow_rule *rule which is no longer valid for tc filter\ndelete operation.\n\n  struct flow_rule *rule = flow_cls_offload_flow_rule(cls);\n  struct flow_dissector *dissector = rule-\u003ematch.dissector;\n\nSo, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for\nearlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),\nthis patch introduces stmmac_rfs_entry as driver-side flow_cls_offload\nrecord for \u0027RX frame steering\u0027 tc flower, currently used for VLAN\npriority. The implementation has taken consideration for future extension\nto include other type RX frame steering such as EtherType based.\n\nv2:\n - Clean up overly extensive backtrace and rewrite git message to better\n   explain the kernel NULL pointer issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:14:19.633Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779"
        },
        {
          "url": "https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63"
        }
      ],
      "title": "net: stmmac: fix tc flower deletion for VLAN priority Rx steering",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47592",
    "datePublished": "2024-06-19T14:53:55.574Z",
    "dateReserved": "2024-05-24T15:11:00.733Z",
    "dateUpdated": "2025-05-04T07:14:19.633Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:47:39.480Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47592\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-20T15:19:38.436561Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476 NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-20T15:19:42.370Z\"}}], \"cna\": {\"title\": \"net: stmmac: fix tc flower deletion for VLAN priority Rx steering\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"0e039f5cf86c\", \"lessThan\": \"97cb5c82aa1d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"0e039f5cf86c\", \"lessThan\": \"aeb7c75cb774\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/net/ethernet/stmicro/stmmac/stmmac.h\", \"drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.13\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.13\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.11\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/net/ethernet/stmicro/stmmac/stmmac.h\", \"drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/97cb5c82aa1dd85a39b1bd021c8b5f18af623779\"}, {\"url\": \"https://git.kernel.org/stable/c/aeb7c75cb77478fdbf821628e9c95c4baa9adc63\"}], \"x_generator\": {\"engine\": \"bippy-9e1c9544281a\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: stmmac: fix tc flower deletion for VLAN priority Rx steering\\n\\nTo replicate the issue:-\\n\\n1) Add 1 flower filter for VLAN Priority based frame steering:-\\n$ IFDEVNAME=eth0\\n$ tc qdisc add dev $IFDEVNAME ingress\\n$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \\\\\\n   map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \\\\\\n   queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\\n$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \\\\\\n   flower vlan_prio 0 hw_tc 0\\n\\n2) Get the \u0027pref\u0027 id\\n$ tc filter show dev $IFDEVNAME ingress\\n\\n3) Delete a specific tc flower record (say pref 49151)\\n$ tc filter del dev $IFDEVNAME parent ffff: pref 49151\\n\\nFrom dmesg, we will observe kernel NULL pointer ooops\\n\\n[  197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[  197.171367] #PF: supervisor read access in kernel mode\\n[  197.171367] #PF: error_code(0x0000) - not-present page\\n[  197.171367] PGD 0 P4D 0\\n[  197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI\\n\\n\u003csnip\u003e\\n\\n[  197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]\\n\\n\u003csnip\u003e\\n\\n[  197.171367] Call Trace:\\n[  197.171367]  \u003cTASK\u003e\\n[  197.171367]  ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]\\n[  197.171367]  stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]\\n[  197.171367]  tc_setup_cb_destroy+0xb3/0x180\\n[  197.171367]  fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\\n\\nThe above issue is due to previous incorrect implementation of\\ntc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()\\nto get struct flow_rule *rule which is no longer valid for tc filter\\ndelete operation.\\n\\n  struct flow_rule *rule = flow_cls_offload_flow_rule(cls);\\n  struct flow_dissector *dissector = rule-\u003ematch.dissector;\\n\\nSo, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for\\nearlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),\\nthis patch introduces stmmac_rfs_entry as driver-side flow_cls_offload\\nrecord for \u0027RX frame steering\u0027 tc flower, currently used for VLAN\\npriority. The implementation has taken consideration for future extension\\nto include other type RX frame steering such as EtherType based.\\n\\nv2:\\n - Clean up overly extensive backtrace and rewrite git message to better\\n   explain the kernel NULL pointer issue.\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-11-04T12:08:47.143Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47592\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-06T15:17:09.361Z\", \"dateReserved\": \"2024-05-24T15:11:00.733Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-06-19T14:53:55.574Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.