CVE-2021-47162 in Linuxinfo

Summary

by MITRE • 03/25/2024

In the Linux kernel, the following vulnerability has been resolved:

tipc: skb_linearize the head skb when reassembling msgs

It's not a good idea to append the frag skb to a skb's frag_list if the frag_list already has skbs from elsewhere, such as this skb was created by pskb_copy() where the frag_list was cloned (all the skbs in it were skb_get'ed) and shared by multiple skbs.

However, the new appended frag skb should have been only seen by the current skb. Otherwise, it will cause use after free crashes as this appended frag skb are seen by multiple skbs but it only got skb_get called once.

The same thing happens with a skb updated by pskb_may_pull() with a skb_cloned skb. Li Shuang has reported quite a few crashes caused by this when doing testing over macvlan devices:

[] kernel BUG at net/core/skbuff.c:1970!
[] Call Trace:
[] skb_clone+0x4d/0xb0
[] macvlan_broadcast+0xd8/0x160 [macvlan]
[] macvlan_process_broadcast+0x148/0x150 [macvlan]
[] process_one_work+0x1a7/0x360
[] worker_thread+0x30/0x390

[] kernel BUG at mm/usercopy.c:102!
[] Call Trace:
[] __check_heap_object+0xd3/0x100
[] __check_object_size+0xff/0x16b
[] simple_copy_to_iter+0x1c/0x30
[] __skb_datagram_iter+0x7d/0x310
[] __skb_datagram_iter+0x2a5/0x310
[] skb_copy_datagram_iter+0x3b/0x90
[] tipc_recvmsg+0x14a/0x3a0 [tipc]
[] ____sys_recvmsg+0x91/0x150
[] ___sys_recvmsg+0x7b/0xc0

[] kernel BUG at mm/slub.c:305!
[] Call Trace:
[]
[] kmem_cache_free+0x3ff/0x400
[] __netif_receive_skb_core+0x12c/0xc40
[] ? kmem_cache_alloc+0x12e/0x270
[] netif_receive_skb_internal+0x3d/0xb0
[] ? get_rx_page_info+0x8e/0xa0 [be2net]
[] be_poll+0x6ef/0xd00 [be2net]
[] ? irq_exit+0x4f/0x100
[] net_rx_action+0x149/0x3b0

...

This patch is to fix it by linearizing the head skb if it has frag_list set in tipc_buf_append(). Note that we choose to do this before calling skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can not just drop the frag_list either as the early time.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/04/2025

The vulnerability identified as CVE-2021-47162 resides within the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem, specifically in how it handles socket buffer (skb) reassembly operations. This flaw manifests when processing network messages that require fragmentation and subsequent reassembly, creating a critical condition that can lead to system instability and potential exploitation. The root cause stems from improper handling of skb fragment lists during message reconstruction, where the kernel fails to correctly manage shared references between multiple skbs that should maintain independent ownership.

The technical implementation of this vulnerability involves the tipc_buf_append() function which operates on skbs containing fragment lists. When a fragment skb is appended to an existing frag_list, the kernel incorrectly assumes that the fragment remains exclusive to the current skb context. However, in scenarios where the original skb was created through pskb_copy() operations, the frag_list contains skbs that have been reference-counted and shared among multiple skbs. This creates a situation where a single fragment skb may be accessed by multiple skbs simultaneously, leading to a use-after-free condition when one of the referencing skbs attempts to release the fragment. The vulnerability is particularly pronounced when using macvlan network devices, as demonstrated by the reported crash patterns involving kernel BUG traces and memory management failures.

The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation and denial of service attacks. When the kernel encounters the corrupted skb state during network message processing, it triggers multiple kernel BUG conditions that manifest in different subsystems including memory management, network packet processing, and heap allocation. The reported crash patterns show the kernel attempting to access freed memory regions through functions like __check_heap_object and kmem_cache_free, indicating that the vulnerability allows for memory corruption that can be exploited to execute arbitrary code or cause system panics. This vulnerability affects systems running Linux kernels that implement TIPC networking and macvlan device functionality, with particular risk to servers and network appliances that rely heavily on these networking features.

The mitigation strategy for CVE-2021-47162 involves implementing a fix that linearizes the head skb when it contains a frag_list during tipc_buf_append operations. This approach prevents the problematic scenario where fragment skbs are shared across multiple skbs by ensuring that the head skb is converted to a linear format before any fragment operations occur. The solution specifically addresses the issue by performing skb linearization before calling skb_unshare(), which prevents unnecessary skb copying while ensuring proper memory management. This fix aligns with security best practices for kernel memory management and follows the principle of least privilege by preventing shared access to memory regions that should remain exclusive to individual skbs. The vulnerability classification aligns with CWE-415: Double Free and CWE-476: NULL Pointer Dereference, while the exploitation patterns correspond to ATT&CK techniques involving privilege escalation through kernel memory corruption and system stability compromise.

Reservation

03/25/2024

Disclosure

03/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00232

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!