CVE-2021-47174 in Linuxinfo

Summary

by MITRE • 03/25/2024

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version

Arturo reported this backtrace:

[709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0
[709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod
[709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common
[709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1
[709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020
[709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0
[709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb
[709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202
[709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001
[709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003
[709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462
[709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960
[709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660
[709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000
[709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0
[709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[709732.359003] PKRU: 55555554
[709732.359005] Call Trace:
[709732.359009]
[709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables]
[709732.359046] ? sched_clock+0x5/0x10
[709732.359054] ? sched_clock_cpu+0xc/0xb0
[709732.359061] ? record_times+0x16/0x80
[709732.359068] ? plist_add+0xc1/0x100
[709732.359073] ? psi_group_change+0x47/0x230
[709732.359079] ? skb_clone+0x4d/0xb0
[709732.359085] ? enqueue_task_rt+0x22b/0x310
[709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en]
[709732.359102] ? packet_rcv+0x40/0x4a0
[709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables]
[709732.359133] nft_do_chain+0x350/0x500 [nf_tables]
[709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables]
[709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables]
[709732.359172] ? fib4_rule_action+0x6d/0x80
[709732.359178] ? fib_rules_lookup+0x107/0x250
[709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat]
[709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat]
[709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat]
[709732.359207] nf_hook_slow+0x44/0xc0
[709732.359214] ip_output+0xd2/0x100
[709732.359221] ? __ip_finish_output+0x210/0x210
[709732.359226] ip_forward+0x37d/0x4a0
[709732.359232] ? ip4_key_hashfn+0xb0/0xb0
[709732.359238] ip_subli
---truncated---

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/04/2025

The vulnerability identified as CVE-2021-47174 resides within the Linux kernel's netfilter subsystem, specifically affecting the nft_set_pipapo_avx2 implementation. This issue manifests when the system attempts to utilize AVX2 instructions for performance optimization in packet filtering operations but fails to properly verify whether the processor supports these instructions in the current execution context. The flaw occurs during the execution of kernel_fpu_begin_mask function, which is responsible for managing floating-point unit state and FPU context switching. When a kernel thread or process attempts to execute AVX2 instructions without proper FPU state initialization, the kernel triggers a warning and potentially causes system instability or crashes. The backtrace indicates that the error originates from nft_pipapo_avx2_lookup, a function within the nf_tables module that implements lookup operations for pipapo hash sets, which are used in netfilter rules for efficient packet matching.

The technical root cause of this vulnerability stems from the absence of proper irq_fpu_usable() checks before executing AVX2 optimized code paths. The irq_fpu_usable() function is a kernel mechanism that determines whether it is safe to use FPU instructions in interrupt contexts, particularly when dealing with virtualized or shared processor environments. Without this check, the kernel's netfilter subsystem attempts to execute AVX2 instructions even when the processor context does not support them, leading to a kernel oops or system crash. This vulnerability directly maps to CWE-119, which addresses improper restriction of operations within a recognized security boundary, and also relates to CWE-399, which covers resource management errors. The flaw is particularly concerning in virtualized environments where FPU state management is more complex and where interrupt handling may not properly account for CPU feature availability.

The operational impact of this vulnerability is significant for systems running Linux kernels with netfilter and nftables configurations that utilize pipapo hash sets. Attackers could potentially trigger this vulnerability through crafted network traffic that forces the kernel to perform lookup operations in large pipapo sets, particularly in environments using nft_nat or similar modules that rely on these data structures. The vulnerability affects systems using the Linux kernel version 5.10 and earlier, particularly when running on processors that support AVX2 instructions but where the FPU state management is not properly handled during interrupt contexts. The issue becomes more pronounced when the system is under load, as the likelihood of triggering the problematic code path increases. This vulnerability aligns with ATT&CK technique T1059.007, which involves the use of system services or kernel modules for exploitation, and could potentially be leveraged in privilege escalation scenarios if combined with other kernel vulnerabilities.

Mitigation strategies for CVE-2021-47174 focus on ensuring that the kernel properly validates FPU capabilities before executing AVX2 optimized code paths. The primary fix involves implementing the irq_fpu_usable() check in the nft_set_pipapo_avx2 code, which ensures that AVX2 instructions are only executed when the processor context supports them. System administrators should update to kernel versions that include the patched implementation, typically kernel 5.11 or later, which contains the necessary safeguards. Additionally, monitoring systems for kernel warnings related to FPU usage and kernel_fpu_begin_mask should be implemented to detect potential exploitation attempts. Organizations using virtualized environments should ensure that their hypervisor configurations properly handle FPU state management, particularly when migrating between different CPU architectures or when using features like nested virtualization that may affect FPU context handling. The fix represents a defensive programming approach that aligns with security best practices for kernel development and helps prevent unintended privilege escalation or denial-of-service conditions in network filtering operations.

Reservation

03/25/2024

Disclosure

03/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00232

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!