Lucene search

LinuxCVE-2021-47482

HistoryMay 22, 2024 - 9:15 a.m.

CVE-2021-47482

2024-05-2209:15:10

CWE-544

Linux

web.nvd.nist.gov

linux kernel

vulnerability

error handling

batman-adv

memory allocation

performance improvement

bug fix

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

Low

EPSS

Percentile

13.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: batman-adv: fix error handling

Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was
in wrong error handling in batadv_mesh_init().

Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case
of any batadv_*_init() calls failure. This approach may work well, when
there is some kind of indicator, which can tell which parts of batadv are
initialized; but there isn’t any.

All written above lead to cleaning up uninitialized fields. Even if we hide
ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit
GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]

To fix these bugs we can unwind batadv_init() calls one by one.
It is good approach for 2 reasons: 1) It fixes bugs on error handling
path 2) It improves the performance, since we won’t call unneeded
batadv_free() functions.

So, this patch makes all batadv_init() clean up all allocated memory
before returning with an error to no call correspoing batadv_free()
and open-codes batadv_mesh_free() with proper order to avoid touching
uninitialized fields.

Affected configurations

Vulners

Node

linuxlinux_kernelRange2.6.38–4.4.293

linuxlinux_kernelRange4.5.0–4.9.289

linuxlinux_kernelRange4.10.0–4.14.254

linuxlinux_kernelRange4.15.0–4.19.215

linuxlinux_kernelRange4.20.0–5.4.157

linuxlinux_kernelRange5.5.0–5.10.77

linuxlinux_kernelRange5.11.0–5.14.16

linuxlinux_kernelRange5.15.0≥

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/batman-adv/bridge_loop_avoidance.c",
      "net/batman-adv/main.c",
      "net/batman-adv/network-coding.c",
      "net/batman-adv/translation-table.c"
    ],
    "versions": [
      {
        "version": "c6c8fea29769",
        "lessThan": "0c6b199f09be",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c6c8fea29769",
        "lessThan": "07533f1a673c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c6c8fea29769",
        "lessThan": "e50f95765219",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c6c8fea29769",
        "lessThan": "fbf150b16a36",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c6c8fea29769",
        "lessThan": "6422e8471890",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c6c8fea29769",
        "lessThan": "b0a2cd38553c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c6c8fea29769",
        "lessThan": "a8f7359259dd",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c6c8fea29769",
        "lessThan": "6f68cd634856",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/batman-adv/bridge_loop_avoidance.c",
      "net/batman-adv/main.c",
      "net/batman-adv/network-coding.c",
      "net/batman-adv/translation-table.c"
    ],
    "versions": [
      {
        "version": "2.6.38",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.38",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.4.293",
        "lessThanOrEqual": "4.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.9.289",
        "lessThanOrEqual": "4.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.14.254",
        "lessThanOrEqual": "4.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.215",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.157",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.77",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.14.16",
        "lessThanOrEqual": "5.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]