Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd416baaa9-dc9f-4396-8d5f-8c081fb06d67NVD:CVE-2021-47544
HistoryMay 24, 2024 - 3:15 p.m.

CVE-2021-47544

2024-05-2415:15:18
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
linux kernel
tcp vulnerability
apache web-server
cifs mount-point
memory mapping
page fault
smb transaction
stack trace
filesystem
sk_allocations
mm-helper

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

tcp: fix page frag corruption on page fault

Steffen reported a TCP stream corruption for HTTP requests
served by the apache web-server using a cifs mount-point
and memory mapping the relevant file.

The root cause is quite similar to the one addressed by
commit 20eb4f29b602 (“net: fix sk_page_frag() recursion from
memory reclaim”). Here the nested access to the task page frag
is caused by a page fault on the (mmapped) user-space memory
buffer coming from the cifs file.

The page fault handler performs an smb transaction on a different
socket, inside the same process context. Since sk->sk_allaction
for such socket does not prevent the usage for the task_frag,
the nested allocation modify “under the hood” the page frag
in use by the outer sendmsg call, corrupting the stream.

The overall relevant stack trace looks like the following:

httpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked:
ffffffff91461d91 tcp_sendmsg_locked+0x1
ffffffff91462b57 tcp_sendmsg+0x27
ffffffff9139814e sock_sendmsg+0x3e
ffffffffc06dfe1d smb_send_kvec+0x28
[…]
ffffffffc06cfaf8 cifs_readpages+0x213
ffffffff90e83c4b read_pages+0x6b
ffffffff90e83f31 __do_page_cache_readahead+0x1c1
ffffffff90e79e98 filemap_fault+0x788
ffffffff90eb0458 __do_fault+0x38
ffffffff90eb5280 do_fault+0x1a0
ffffffff90eb7c84 __handle_mm_fault+0x4d4
ffffffff90eb8093 handle_mm_fault+0xc3
ffffffff90c74f6d __do_page_fault+0x1ed
ffffffff90c75277 do_page_fault+0x37
ffffffff9160111e page_fault+0x1e
ffffffff9109e7b5 copyin+0x25
ffffffff9109eb40 _copy_from_iter_full+0xe0
ffffffff91462370 tcp_sendmsg_locked+0x5e0
ffffffff91462370 tcp_sendmsg_locked+0x5e0
ffffffff91462b57 tcp_sendmsg+0x27
ffffffff9139815c sock_sendmsg+0x4c
ffffffff913981f7 sock_write_iter+0x97
ffffffff90f2cc56 do_iter_readv_writev+0x156
ffffffff90f2dff0 do_iter_write+0x80
ffffffff90f2e1c3 vfs_writev+0xa3
ffffffff90f2e27c do_writev+0x5c
ffffffff90c042bb do_syscall_64+0x5b
ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65

The cifs filesystem rightfully sets sk_allocations to GFP_NOFS,
we can avoid the nesting using the sk page frag for allocation
lacking the __GFP_FS flag. Do not define an additional mm-helper
for that, as this is strictly tied to the sk page frag usage.

v1 -> v2:

  • use a stricted sk_page_frag() check instead of reordering the
    code (Eric)

Related

cve 1
vulnrichment 1
redhatcve 1
debiancve 1
cvelist 1
ubuntucve 1
nessus 4
cve
cve
CVE-2021-47544
2024-05-24 15:15:18
vulnrichment
vulnrichment
CVE-2021-47544 tcp: fix page frag corruption on page fault
2024-05-24 15:09:49
redhatcve
redhatcve
CVE-2021-47544
2024-05-27 10:33:12
debiancve
debiancve
CVE-2021-47544
2024-05-24 15:15:18
cvelist
cvelist
CVE-2021-47544 tcp: fix page frag corruption on page fault
2024-05-24 15:09:49
ubuntucve
ubuntucve
CVE-2021-47544
2024-05-24 00:00:00
nessus
nessus
SUSE SLES15 Security Update : kernel (SUSE-SU-2024:2189-1)
2024-06-26 00:00:00
SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:2008-1)
2024-06-13 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:2190-1)
2024-06-26 00:00:00

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON
Related for NVD:CVE-2021-47544
cve1vulnrichment1redhatcve1debiancve1cvelist1ubuntucve1nessus4