CVE-2021-47536

EUVD-2021-34538

24.05.2024, 15:15

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix wrong list_del in smc_lgr_cleanup_early

smc_lgr_cleanup_early() meant to delete the link
group from the link group list, but it deleted
the list head by mistake.

This may cause memory corruption since we didn't
remove the real link group from the list and later
memseted the link group structure.
We got a list corruption panic when testing:

[  231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000
[  231.278222] ------------[ cut here ]------------
[  231.278726] kernel BUG at lib/list_debug.c:53!
[  231.279326] invalid opcode: 0000 [#1] SMP NOPTI
[  231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435
[  231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014
[  231.281248] Workqueue: events smc_link_down_work
[  231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90
[  231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c
60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f>
0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc
[  231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292
[  231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000
[  231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040
[  231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001
[  231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001
[  231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003
[  231.288337] FS:  0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[  231.289160] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0
[  231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  231.291940] Call Trace:
[  231.292211]  smc_lgr_terminate_sched+0x53/0xa0
[  231.292677]  smc_switch_conns+0x75/0x6b0
[  231.293085]  ? update_load_avg+0x1a6/0x590
[  231.293517]  ? ttwu_do_wakeup+0x17/0x150
[  231.293907]  ? update_load_avg+0x1a6/0x590
[  231.294317]  ? newidle_balance+0xca/0x3d0
[  231.294716]  smcr_link_down+0x50/0x1a0
[  231.295090]  ? __wake_up_common_lock+0x77/0x90
[  231.295534]  smc_link_down_work+0x46/0x60
[  231.295933]  process_one_work+0x18b/0x350

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.84
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.7
linux	linux_kernel	5.16:rc1
linux	linux_kernel	5.16:rc2
linux	linux_kernel	5.16:rc3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
buster	not-affected
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-allwinner-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-aws-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-aws-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-hwe

focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	not-affected
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-azure-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-fde

focal	ignored
jammy	not-affected
mantic	dne
noble	dne

linux-azure-fde-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-bluefield

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp

bionic	ignored
focal	not-affected
jammy	not-affected
mantic	not-affected
noble	not-affected
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-gcp-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-gcp-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gke

focal	ignored
jammy	not-affected
mantic	dne
noble	not-affected

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gke-5.15

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gkeop

focal	not-affected
jammy	not-affected
mantic	dne
noble	dne

linux-gkeop-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	not-affected

linux-hwe-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-hwe-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-hwe-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	ignored

linux-ibm

focal	not-affected
jammy	not-affected
mantic	ignored
noble	not-affected

linux-ibm-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-ibm-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-intel

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
trusty	dne
xenial	dne

linux-intel-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-intel-iotg

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-intel-iotg-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-iot

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-kvm

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	dne
noble	dne
xenial	not-affected

linux-laptop

focal	dne
jammy	dne
mantic	not-affected
noble	dne

linux-lowlatency

focal	dne
jammy	not-affected
mantic	not-affected
noble	not-affected

linux-lowlatency-hwe-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-lts-xenial

focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	not-affected

linux-nvidia

focal	dne
jammy	not-affected
mantic	dne
noble	not-affected

linux-nvidia-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-nvidia-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oem-5.10

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.14

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.17

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-5.6

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-6.0

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-6.1

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-oem-6.8

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oracle

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	not-affected
noble	not-affected
xenial	not-affected

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-raspi

focal	not-affected
jammy	not-affected
mantic	not-affected
noble	not-affected

linux-raspi-5.4

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-raspi2

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-riscv

focal	ignored
jammy	ignored
mantic	not-affected
noble	not-affected

linux-riscv-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-riscv-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-riscv-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-riscv-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-riscv-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-starfive

focal	dne
jammy	dne
mantic	not-affected
noble	dne

linux-starfive-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-starfive-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-starfive-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-xilinx-zynqmp

focal	not-affected
jammy	not-affected
mantic	dne
noble	dne

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529

https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba

https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c

https://git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529

https://git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba

https://git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c