CVE-2021-47304: tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix tcpinittransfer() to not reset icskcainitialized
The Linux kernel CVE team has assigned CVE-2021-47304 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024052126-CVE-2021-47304-fc16@gregkh/T
Other sources
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix tcpinittransfer() to not reset icskcainitialized
This commit fixes a bug (found by syzkaller) that could cause spurious double-initializations for congestion control modules, which could cause memory leaks or other problems for congestion control modules (like CDG) that allocate memory in their init functions.
The buggy scenario constructed by syzkaller was something like:
(1) create a TCP socket (2) initiate a TFO connect via sendto() (3) while socket is in TCPSYNSENT, call setsockopt(TCPCONGESTION), which calls: tcpsetcongestioncontrol() -> tcpreinitcongestioncontrol() -> tcpinitcongestioncontrol() (4) receive ACK, connection is established, call tcpinittransfer(), set icskcainitialized=0 (without first calling cc->release()), call tcpinitcongestioncontrol() again.
Note that in this sequence tcpinitcongestioncontrol() is called twice without a cc->release() call in between. Thus, for CC modules that allocate memory in their init() function, e.g, CDG, a memory leak may occur. The syzkaller tool managed to find a reproducer that triggered such a leak in CDG.
The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") introduced icskcainitialized and set icskcainitialized to 0 in tcpinittransfer(), missing the possibility for a sequence like the one above, where a process could call setsockopt(TCPCONGESTION) in state TCPSYNSENT (i.e. after the connect() or TFO open sendmsg()), which would call tcpinitcongestioncontrol(). It did not intend to reset any initialization that the user had already explicitly made; it just missed the possibility of that particular sequence (which syzkaller managed to find).
— MITRE
Linux Kernel is vulnerable to a denial of service, caused by a memory leak flaw in the tcpinittransfer() function due to not reset icskcainitialized. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2021-47304?
CVE-2021-47304 has a severity rating that necessitates attention due to potential impacts on the Linux kernel's TCP functions.
How do I fix CVE-2021-47304?
To fix CVE-2021-47304, update the Linux kernel to version 5.10.53, 5.13.5, or 5.14 as applicable.
Which software is affected by CVE-2021-47304?
CVE-2021-47304 affects various versions of the Linux kernel and IBM Security Verify Governance products.
What are the risks of not addressing CVE-2021-47304?
Failing to address CVE-2021-47304 may lead to network instability and potential security vulnerabilities within the Linux kernel.
Is CVE-2021-47304 publicly disclosed?
Yes, CVE-2021-47304 has been publicly disclosed by the Linux kernel CVE team.