CVE-2021-47588 in Linux
Summary
by MITRE • 06/19/2024
In the Linux kernel, the following vulnerability has been resolved:
sit: do not call ipip6_dev_free() from sit_init_net()
ipip6_dev_free is sit dev->priv_destructor, already called by register_netdevice() if something goes wrong.
Alternative would be to make ipip6_dev_free() robust against multiple invocations, but other drivers do not implement this strategy.
syzbot reported:
dst_release underflow WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173 Modules linked in: CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173 Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48 RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246 RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000 RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358 R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000 FS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160 ipip6_dev_free net/ipv6/sit.c:1414 [inline]
sit_init_net+0x229/0x550 net/ipv6/sit.c:1936 ops_init+0x313/0x430 net/core/net_namespace.c:140 setup_net+0x35b/0x9d0 net/core/net_namespace.c:326 copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470 create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226 ksys_unshare+0x57d/0xb50 kernel/fork.c:3075 __do_sys_unshare kernel/fork.c:3146 [inline]
__se_sys_unshare kernel/fork.c:3144 [inline]
__x64_sys_unshare+0x34/0x40 kernel/fork.c:3144 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f66c882ce99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200 RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/04/2025
The vulnerability described in CVE-2021-47588 resides within the Linux kernel's sit (Simple Internet Transition) module, specifically concerning the improper invocation of the ipip6_dev_free() function during network namespace initialization. This flaw manifests as a double-free condition or memory corruption that can lead to system instability or potential privilege escalation. The issue occurs in the sit_init_net() function where ipip6_dev_free() is called directly, despite the fact that this function is already registered as a device private destructor through register_netdevice(). When a network device registration fails, the kernel automatically invokes the registered destructor, making the direct call in sit_init_net() redundant and dangerous.
The technical root cause of this vulnerability stems from improper resource management within the kernel's networking subsystem. According to the Linux kernel's design, when a network device is registered, its private destructor function is automatically invoked if the registration process fails. The sit module's sit_init_net() function attempts to manually call ipip6_dev_free() in a cleanup scenario, but this function is already scheduled for execution by the kernel's device management framework. This dual invocation results in an underflow condition in the dst_release function, which is part of the kernel's destination cache management system, as evidenced by the stack trace showing the call path from dst_cache_destroy through ipip6_dev_free to sit_init_net.
This vulnerability presents a significant operational risk to Linux systems that utilize IPv6 tunneling capabilities, particularly those running kernel versions affected by this issue. The potential impact includes system crashes, denial of service conditions, and in extreme cases, privilege escalation that could allow attackers to gain elevated system privileges. The vulnerability is particularly concerning because it can be triggered through legitimate kernel operations involving namespace creation and device management. According to the Common Weakness Enumeration (CWE) taxonomy, this flaw aligns with CWE-415: Double Free, which describes the condition where a program frees the same memory location twice, leading to undefined behavior. The ATT&CK framework categorizes this under privilege escalation techniques where memory corruption vulnerabilities can be leveraged to gain elevated privileges.
Mitigation strategies for this vulnerability require kernel updates that implement the fix described in the patch, which removes the redundant call to ipip6_dev_free() from sit_init_net(). Organizations should prioritize updating their Linux kernel versions to include this fix, particularly in environments where IPv6 tunneling is actively used. Additionally, monitoring systems should be configured to detect unusual patterns in network namespace creation or device registration failures that could indicate exploitation attempts. The fix demonstrates a best practice in kernel development by avoiding redundant destructor calls and relying on the kernel's established device management framework rather than implementing custom cleanup logic that conflicts with existing mechanisms. Security teams should also consider implementing network segmentation and access controls to limit the potential impact of any exploitation attempts, while maintaining regular kernel patching procedures to address similar vulnerabilities proactively.