CVE-2021-47014 in Linuxinfo

Summary

by MITRE • 02/28/2024

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_ct: fix wild memory access when clearing fragments

while testing re-assembly/re-fragmentation using act_ct, it's possible to observe a crash like the following one:

KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f]
CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424 Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0 Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48 RSP: 0018:ffff888c31449db8 EFLAGS: 00010203 RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960 RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350 R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000 R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160 FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: inet_frag_destroy+0xa9/0x150 call_timer_fn+0x2d/0x180 run_timer_softirq+0x4fe/0xe70 __do_softirq+0x197/0x5a0 irq_exit_rcu+0x1de/0x200 sysvec_apic_timer_interrupt+0x6b/0x80

when act_ct temporarily stores an IP fragment, restoring the skb qdisc cb results in putting random data in FRAG_CB(), and this causes those "wild" memory accesses later, when the rbtree is purged. Never overwrite the skb cb in case tcf_ct_handle_fragments() returns -EINPROGRESS.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/08/2025

The vulnerability described in CVE-2021-47014 affects the Linux kernel's net/sched subsystem, specifically within the act_ct (connection tracking) component. This issue manifests as a wild memory access condition that occurs during packet re-assembly and re-fragmentation operations. The flaw is particularly dangerous because it can lead to kernel crashes and potential system instability when connection tracking is actively managing fragmented IP packets. The vulnerability stems from improper handling of socket buffer control block (skb cb) data during fragment processing, creating a scenario where random memory values are written to FRAG_CB() structures.

The technical root cause involves the interaction between the act_ct module and the kernel's fragment handling mechanisms. When the tcf_ct_handle_fragments() function processes IP fragments, it temporarily stores fragment information and modifies the skb's control block data. However, the code fails to properly account for cases where this function returns -EINPROGRESS, indicating that fragment processing is incomplete. This oversight leads to the overwriting of existing skb control block data with random values, which then get used later during the rbtree purging phase of fragment management. The kernel's memory sanitizer (KASAN) detects this as a potential wild memory access in the inet_frag_rbtree_purge function, where the corrupted data causes memory corruption during cleanup operations.

This vulnerability has significant operational impact as it can be triggered through normal network traffic patterns involving fragmented packets and connection tracking. The crash occurs in kernel space, potentially leading to system crashes, denial of service conditions, or in worst-case scenarios, privilege escalation opportunities. The attack vector is particularly concerning because it requires only normal network packet processing activity, making it exploitable in environments where connection tracking is enabled and fragmentation occurs. According to CWE classification, this represents a CWE-787: Out-of-bounds Write vulnerability, while the ATT&CK framework would categorize this under T1068: Exploitation for Privilege Escalation and T1499.1: Endpoint Denial of Service.

Mitigation strategies for CVE-2021-47014 focus on patching the kernel to properly handle the fragment processing return codes and prevent overwriting of skb control block data. System administrators should apply the latest kernel updates that contain the fix for this vulnerability, which specifically addresses the condition where the skb cb data should not be overwritten when tcf_ct_handle_fragments() returns -EINPROGRESS. Additionally, monitoring network traffic patterns for unusual fragmentation behavior and implementing proper kernel security configurations can help detect potential exploitation attempts. Organizations should also consider implementing network segmentation and access controls to limit the impact if exploitation occurs, while maintaining regular kernel update schedules to address similar vulnerabilities in the future.

Reservation

02/27/2024

Disclosure

02/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00233

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!