CVE-2021-47517 in Linux
Summary
by MITRE • 05/24/2024
In the Linux kernel, the following vulnerability has been resolved:
ethtool: do not perform operations on net devices being unregistered
There is a short period between a net device starts to be unregistered and when it is actually gone. In that time frame ethtool operations could still be performed, which might end up in unwanted or undefined behaviours[1].
Do not allow ethtool operations after a net device starts its unregistration. This patch targets the netlink part as the ioctl one isn't affected: the reference to the net device is taken and the operation is executed within an rtnl lock section and the net device won't be found after unregister.
[1] For example adding Tx queues after unregister ends up in NULL
pointer exceptions and UaFs, such as:
BUG: KASAN: use-after-free in kobject_get+0x14/0x90 Read of size 1 at addr ffff88801961248c by task ethtool/755
CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014 Call Trace: dump_stack_lvl+0x57/0x72 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x7f/0x11b kobject_get+0x14/0x90 kobject_add_internal+0x3d1/0x450 kobject_init_and_add+0xba/0xf0 netdev_queue_update_kobjects+0xcf/0x200 netif_set_real_num_tx_queues+0xb4/0x310 veth_set_channels+0x1c3/0x550 ethnl_set_channels+0x524/0x610
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/01/2025
The vulnerability CVE-2021-47517 addresses a critical race condition in the Linux kernel's ethtool implementation that occurs during network device unregistration processes. This issue specifically affects the netlink subsystem portion of ethtool operations while leaving the ioctl interface unaffected due to different internal locking mechanisms. The core problem emerges from a temporal gap between when a network device begins its unregistration process and when it is completely removed from the system. During this interim period, ethtool operations can still be executed against devices that are in transition, creating potential for system instability and undefined behavior. The vulnerability represents a classic use-after-free scenario where operations targeting network device structures that are already in the process of being torn down can result in kernel memory corruption.
The technical flaw manifests when ethtool commands attempt to modify network device parameters during the unregister phase, particularly affecting operations such as adding Tx queues. The kernel's reference counting and locking mechanisms fail to properly prevent these operations during the device transition period, leading to scenarios where device structures are accessed after their memory has been freed or repurposed. When operations like netif_set_real_num_tx_queues are invoked on devices that have begun unregistration, the underlying kobject subsystem attempts to access freed memory structures, resulting in use-after-free conditions that trigger kernel address sanitizer (KASAN) errors. The specific crash pattern shows kernel memory corruption in functions like kobject_get and kobject_add_internal, where the system attempts to reference objects that have already been deallocated, causing kernel panics and system instability.
This vulnerability impacts the operational integrity of Linux systems running kernel versions where the race condition exists, particularly affecting network management operations during system maintenance or device hot-plugging scenarios. The operational consequences extend beyond simple system crashes to include potential data corruption, service disruption, and reduced system reliability during network device lifecycle management. Attackers could potentially exploit this vulnerability to cause denial of service conditions or in more sophisticated scenarios, leverage the memory corruption for privilege escalation, though the direct attack surface is limited to legitimate ethtool operations. The vulnerability aligns with CWE-362, which describes a race condition in concurrent programming where operations occur in an unexpected order, and maps to ATT&CK technique T1059.003 for execution through command and scripting interpreter, specifically targeting the ethtool utility as an attack vector.
The mitigation strategy involves implementing proper synchronization mechanisms that prevent ethtool operations from proceeding once a network device has initiated its unregistration process. The patch addresses this by ensuring that ethtool netlink operations are blocked during device unregistration, preventing access to potentially invalid device structures. System administrators should ensure they are running kernel versions that include this patch, particularly in environments where network device management operations occur frequently during system maintenance or dynamic network configuration changes. Organizations should also implement monitoring for ethtool operations during device lifecycle events and consider implementing proper device lifecycle management policies that avoid concurrent operations during unregistration phases. The fix demonstrates proper kernel design principles by ensuring that reference counting and locking mechanisms are adequate to prevent access to objects in transitional states, aligning with best practices for concurrent system programming and kernel security hardening.