CVE-2021-47597 in Linux
Summary
by MITRE • 06/19/2024
In the Linux kernel, the following vulnerability has been resolved:
inet_diag: fix kernel-infoleak for UDP sockets
KMSAN reported a kernel-infoleak [1], that can exploited
by unpriv users.
After analysis it turned out UDP was not initializing r->idiag_expires. Other users of inet_sk_diag_fill() might make the same mistake in the future, so fix this in inet_sk_diag_fill().
[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
copyout lib/iov_iter.c:156 [inline]
_copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670 copy_to_iter include/linux/uio.h:155 [inline]
simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]
netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974 sock_recvmsg_nosec net/socket.c:944 [inline]
sock_recvmsg net/socket.c:962 [inline]
sock_read_iter+0x5a9/0x630 net/socket.c:1035 call_read_iter include/linux/fs.h:2156 [inline]
new_sync_read fs/read_write.c:400 [inline]
vfs_read+0x1631/0x1980 fs/read_write.c:481 ksys_read+0x28c/0x520 fs/read_write.c:619 __do_sys_read fs/read_write.c:629 [inline]
__se_sys_read fs/read_write.c:627 [inline]
__x64_sys_read+0xdb/0x120 fs/read_write.c:627 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae
Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline]
netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 netlink_dump_start include/linux/netlink.h:254 [inline]
inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343 sock_diag_rcv_msg+0x24a/0x620 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:704 [inline]
sock_sendmsg net/socket.c:724 [inline]
sock_write_iter+0x594/0x690 net/socket.c:1057 do_iter_readv_writev+0xa7f/0xc70 do_iter_write+0x52c/0x1500 fs/read_write.c:851 vfs_writev fs/read_write.c:924 [inline]
do_writev+0x63f/0xe30 fs/read_write.c:967 __do_sys_writev fs/read_write.c:1040 [inline]
__se_sys_writev fs/read_write.c:1037 [inline]
__x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae
Bytes 68-71 of 312 are uninitialized Memory access of size 312 starts at ffff88812ab54000 Data copied to user address 0000000020001440
CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/04/2025
The vulnerability CVE-2021-47597 represents a kernel information leak affecting the Linux kernel's network subsystem, specifically within the inet_diag functionality used for socket diagnostics. This issue arises from improper initialization of socket diagnostic data structures, creating a potential information disclosure channel for unprivileged users. The vulnerability was detected through KMSAN (Kernel Memory Sanitizer) analysis, which identified uninitialized memory being copied to userspace during network diagnostic operations. The root cause lies in the UDP socket implementation failing to initialize the r->idiag_expires field within the inet_sk_diag_fill() function, which serves as a common interface for various socket types. This oversight allows sensitive kernel memory contents to be inadvertently exposed when userspace applications query socket information through diagnostic interfaces.
The technical flaw manifests in the inet_diag subsystem where socket diagnostic information is collected and returned to userspace via netlink sockets. When UDP sockets are queried, the missing initialization of the idiag_expires field results in uninitialized kernel memory being copied to user space through a chain of function calls involving copy_to_iter, skb_copy_datagram_iter, and netlink_recvmsg. The memory access pattern shows that bytes 68-71 of a 312-byte structure contain uninitialized data, with the actual memory address ff ff88812ab54000 being accessed during the copy operation. This information leak occurs during normal socket diagnostic operations, making it exploitable by any unprivileged user who can access the inet_diag interface through socket system calls. The vulnerability affects the broader socket diagnostic framework since other socket types using inet_sk_diag_fill() may have similar initialization issues, potentially creating a widespread information disclosure risk.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can expose sensitive kernel memory contents including potential cryptographic keys, network state information, or other confidential data structures. Attackers could leverage this vulnerability to reconstruct kernel memory layouts, potentially enabling more sophisticated attacks such as kernel address space layout randomization (ASLR) bypasses or privilege escalation attempts. The vulnerability's exploitation requires only basic socket diagnostic permissions, making it particularly dangerous as it can be accessed by unprivileged users without special privileges. This creates a significant risk for systems where network diagnostics are frequently performed, such as in containerized environments, network monitoring systems, or applications that query socket information for performance monitoring. The vulnerability affects kernel versions that include the problematic inet_diag implementation, with the issue being present in kernel versions 5.16 and earlier, though the exact scope depends on the specific implementation details of the affected subsystem.
Mitigation strategies for CVE-2021-47597 primarily involve patching the kernel to ensure proper initialization of the idiag_expires field within the inet_sk_diag_fill() function. The fix implemented in the kernel ensures that all socket diagnostic structures are properly initialized before being copied to userspace, eliminating the information leak. Organizations should prioritize applying the relevant kernel security patches as soon as possible, particularly in environments where unprivileged users have access to network diagnostic capabilities. System administrators should also consider monitoring for unusual socket diagnostic activity that might indicate exploitation attempts. Additional mitigations include restricting access to network diagnostic interfaces where possible, implementing proper access controls, and ensuring that only trusted users have the ability to query socket information through inet_diag. From a compliance perspective, this vulnerability aligns with CWE-248 (Uncaught Exception) and ATT&CK techniques related to information gathering and privilege escalation, making it critical for security teams to address promptly. The fix represents a defensive programming improvement that prevents uninitialized memory from being exposed, aligning with the principle of least privilege and secure coding practices in kernel development.