CVE-2021-47159 in Linux
Summary
by MITRE • 03/25/2024
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: fix a crash if ->get_sset_count() fails
If ds->ops->get_sset_count() fails then it "count" is a negative error code such as -EOPNOTSUPP. Because "i" is an unsigned int, the negative error code is type promoted to a very high value and the loop will corrupt memory until the system crashes.
Fix this by checking for error codes and changing the type of "i" to just int.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/04/2025
The vulnerability described in CVE-2021-47159 represents a critical memory corruption issue within the Linux kernel's Distributed Switch Architecture implementation. This flaw exists in the network subsystem where the DSA layer handles switch operations, specifically when processing the get_sset_count() function call. The vulnerability manifests as a denial of service condition that can lead to system crashes and potential memory corruption. The issue stems from improper error handling within a loop structure that processes switch statistics count operations, creating a scenario where negative error codes are mishandled due to type casting issues.
The technical root cause of this vulnerability lies in the improper handling of error codes within a loop structure that processes network switch statistics. When the ds->ops->get_sset_count() function returns a negative error code such as -EOPNOTSUPP, the system fails to properly validate this return value before using it in a loop condition. The variable "i" is declared as an unsigned int type, which causes the negative error code to be promoted to a very large positive value through type promotion. This transformation results in an infinite loop that iterates far beyond expected bounds, leading to memory corruption as the loop writes data to invalid memory locations. This type of vulnerability falls under the CWE-129 weakness category, specifically related to improper validation of array indices and buffer overflows, and can be classified under the ATT&CK technique T1499.004 for network denial of service.
The operational impact of this vulnerability is significant as it can cause complete system instability and denial of service conditions across networked systems. When triggered, the vulnerability leads to memory corruption that eventually results in kernel crashes and system panics. This affects any Linux system utilizing the DSA network switch framework, particularly those with network switches that implement the get_sset_count() function. The vulnerability is particularly concerning because it can be exploited through normal network operations without requiring elevated privileges, making it a remote attack vector. The crash occurs during normal network statistics collection operations, meaning legitimate network traffic can inadvertently trigger the condition and cause system instability.
The fix for CVE-2021-47159 involves two critical changes to the affected code structure. First, the code must properly check for error codes before using the return value in loop conditions, ensuring that negative error codes are handled appropriately rather than being passed directly to the unsigned integer loop counter. Second, the variable "i" must be changed from unsigned int to regular int type to prevent the type promotion issue that causes the error code to be interpreted as a large positive value. This remediation addresses the core issue by ensuring proper error handling and preventing the overflow condition that leads to memory corruption. The fix aligns with best practices for kernel security development and follows the principles outlined in the Linux kernel security guidelines, specifically addressing the need for proper error code validation in kernel space operations. System administrators should apply the relevant kernel updates immediately to protect against this vulnerability, as it represents a critical security risk that can lead to complete system compromise through denial of service conditions.