CVE-2021-47572 in Linuxinfo

Summary

by MITRE • 05/24/2024

In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: fix null pointer dereference when IPv6 is not enabled

When we try to add an IPv6 nexthop and IPv6 is not enabled (!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path
of nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug has been present since the beginning of IPv6 nexthop gateway support. Commit 1aefd3de7bc6 ("ipv6: Add fib6_nh_init and release to stubs") tells us that only fib6_nh_init has a dummy stub because fib6_nh_release should not be called if fib6_nh_init returns an error, but the commit below added a call to ipv6_stub->fib6_nh_release in its error path. To fix it return the dummy stub's -EAFNOSUPPORT error directly without calling ipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path.

[1]
Output is a bit truncated, but it clearly shows the error. BUG: kernel NULL pointer dereference, address: 000000000000000000 #PF: supervisor instruction fetch in kernel modede #PF: error_code(0x0010) - not-present pagege PGD 0 P4D 0 Oops: 0010 [#1] PREEMPT SMP NOPTI
CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860 RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000 R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840 FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0 Call Trace: nh_create_ipv6+0xed/0x10c rtm_new_nexthop+0x6d7/0x13f3 ? check_preemption_disabled+0x3d/0xf2 ? lock_is_held_type+0xbe/0xfd rtnetlink_rcv_msg+0x23f/0x26a ? check_preemption_disabled+0x3d/0xf2 ? rtnl_calcit.isra.0+0x147/0x147 netlink_rcv_skb+0x61/0xb2 netlink_unicast+0x100/0x187 netlink_sendmsg+0x37f/0x3a0 ? netlink_unicast+0x187/0x187 sock_sendmsg_nosec+0x67/0x9b ____sys_sendmsg+0x19d/0x1f9 ? copy_msghdr_from_user+0x4c/0x5e ? rcu_read_lock_any_held+0x2a/0x78 ___sys_sendmsg+0x6c/0x8c ? asm_sysvec_apic_timer_interrupt+0x12/0x20 ? lockdep_hardirqs_on+0xd9/0x102 ? sockfd_lookup_light+0x69/0x99 __sys_sendmsg+0x50/0x6e do_syscall_64+0xcb/0xf2 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f98dea28914 Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53 RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914 RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008 R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001 R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0 Modules linked in: bridge stp llc bonding virtio_net

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/21/2025

The vulnerability CVE-2021-47572 represents a critical null pointer dereference in the Linux kernel's networking subsystem, specifically affecting the nexthop implementation when IPv6 is disabled. This flaw exists within the net subsystem's handling of IPv6 nexthop creation and occurs when the kernel attempts to add an IPv6 nexthop while the IPv6 protocol support is not configured or compiled into the kernel. The issue stems from a logical error in the nh_create_ipv6() function where it incorrectly attempts to invoke ipv6_stub->fib6_nh_release() during error handling, despite the fact that when IPv6 is disabled, the stub functions are not properly initialized to handle such operations.

The technical root cause of this vulnerability lies in the improper error handling within the IPv6 nexthop creation pathway. When the kernel encounters a scenario where IPv6 is disabled, it should return an appropriate error code such as -EAFNOSUPPORT directly without attempting to access uninitialized stub functions. However, the buggy code path in nh_create_ipv6() executes a call to ipv6_stub->fib6_nh_release() which results in a NULL pointer dereference since the stub function pointer is not properly initialized in non-IPv6 environments. This behavior has existed since the initial implementation of IPv6 nexthop gateway support, indicating a long-standing design flaw in the kernel's error handling mechanisms.

The operational impact of this vulnerability is severe as it can lead to kernel panics and system crashes when legitimate userspace applications attempt to configure IPv6 nexthops on systems where IPv6 support is disabled. This type of kernel NULL pointer dereference constitutes a denial-of-service condition that can be exploited by malicious actors to crash systems or potentially escalate privileges through carefully crafted network operations. The vulnerability affects all Linux kernel versions that support IPv6 nexthop functionality but have IPv6 disabled, making it particularly concerning for embedded systems, containers, and virtualized environments where IPv6 may be intentionally disabled for security or performance reasons.

This vulnerability aligns with CWE-476, which identifies NULL pointer dereference as a common security weakness in kernel code, and relates to ATT&CK technique T1068, which covers local privilege escalation through kernel vulnerabilities. The fix implemented in the kernel involves modifying the error handling path to return the dummy stub's -EAFNOSUPPORT error directly, avoiding the problematic call to ipv6_stub->fib6_nh_release() altogether. This approach ensures that when IPv6 is disabled, the kernel properly handles the error condition without attempting to access uninitialized function pointers, thereby preventing the null pointer dereference and maintaining system stability. The mitigation strategy requires kernel updates that incorporate the specific patch addressing this exact error path in the nexthop implementation, ensuring that all systems running affected kernel versions are properly protected against this exploitation vector.

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!