CVE-2021-47304

{"id": "CVE-2021-47304", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:18.110", "references": [{"url": "https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-415"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\n\nThis commit fixes a bug (found by syzkaller) that could cause spurious\ndouble-initializations for congestion control modules, which could cause\nmemory leaks or other problems for congestion control modules (like CDG)\nthat allocate memory in their init functions.\n\nThe buggy scenario constructed by syzkaller was something like:\n\n(1) create a TCP socket\n(2) initiate a TFO connect via sendto()\n(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),\n which calls:\n tcp_set_congestion_control() ->\n tcp_reinit_congestion_control() ->\n tcp_init_congestion_control()\n(4) receive ACK, connection is established, call tcp_init_transfer(),\n set icsk_ca_initialized=0 (without first calling cc->release()),\n call tcp_init_congestion_control() again.\n\nNote that in this sequence tcp_init_congestion_control() is called\ntwice without a cc->release() call in between. Thus, for CC modules\nthat allocate memory in their init() function, e.g, CDG, a memory leak\nmay occur. The syzkaller tool managed to find a reproducer that\ntriggered such a leak in CDG.\n\nThe bug was introduced when that commit 8919a9b31eb4 (\"tcp: Only init\ncongestion control if not initialized already\")\nintroduced icsk_ca_initialized and set icsk_ca_initialized to 0 in\ntcp_init_transfer(), missing the possibility for a sequence like the\none above, where a process could call setsockopt(TCP_CONGESTION) in\nstate TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),\nwhich would call tcp_init_congestion_control(). It did not intend to\nreset any initialization that the user had already explicitly made;\nit just missed the possibility of that particular sequence (which\nsyzkaller managed to find)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: corrige tcp_init_transfer() para no restablecer icsk_ca_initialized Esta confirmaci\u00f3n corrige un error (encontrado por syzkaller) que podr\u00eda causar dobles inicializaciones falsas para los m\u00f3dulos de control de congesti\u00f3n, lo que podr\u00eda causar p\u00e9rdidas de memoria o Otros problemas para los m\u00f3dulos de control de congesti\u00f3n (como CDG) que asignan memoria en sus funciones de inicio. El escenario con errores construido por syzkaller era algo as\u00ed como: (1) crear un socket TCP (2) iniciar una conexi\u00f3n TFO a trav\u00e9s de sendto() (3) mientras el socket est\u00e1 en TCP_SYN_SENT, llamar a setsockopt(TCP_CONGESTION), que llama a: tcp_set_congestion_control() - > tcp_reinit_congestion_control() -> tcp_init_congestion_control() (4) recibe ACK, se establece la conexi\u00f3n, llama a tcp_init_transfer(), establece icsk_ca_initialized=0 (sin llamar primero a cc->release()), llama a tcp_init_congestion_control() nuevamente. Tenga en cuenta que en esta secuencia tcp_init_congestion_control() se llama dos veces sin una llamada cc->release() en el medio. Por lo tanto, para los m\u00f3dulos CC que asignan memoria en su funci\u00f3n init(), por ejemplo, CDG, puede ocurrir una p\u00e9rdida de memoria. La herramienta syzkaller logr\u00f3 encontrar un reproductor que desencaden\u00f3 dicha filtraci\u00f3n en CDG. El error se introdujo cuando la confirmaci\u00f3n 8919a9b31eb4 (\"tcp: solo inicia el control de congesti\u00f3n si a\u00fan no est\u00e1 inicializado\") introdujo icsk_ca_initialized y estableci\u00f3 icsk_ca_initialized en 0 en tcp_init_transfer(), perdiendo la posibilidad de una secuencia como la anterior, donde un proceso podr\u00eda llamar setsockopt(TCP_CONGESTION) en el estado TCP_SYN_SENT (es decir, despu\u00e9s de connect() o TFO open sendmsg()), que llamar\u00eda a tcp_init_congestion_control(). No ten\u00eda la intenci\u00f3n de restablecer ninguna inicializaci\u00f3n que el usuario ya hubiera realizado expl\u00edcitamente; simplemente perdi\u00f3 la posibilidad de esa secuencia particular (que Syzkaller logr\u00f3 encontrar)."}], "lastModified": "2025-05-12T20:00:45.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DEFC6EF-3F05-496C-9CCD-DF3BDE77EC04", "versionEndExcluding": "5.10.53", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "808DF8D9-4913-4CC7-B91F-B4146556B7ED", "versionEndExcluding": "5.13.5", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71268287-21A8-4488-AA4F-23C473153131"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}