admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 09:11:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2021/CVE-2021-469xx/CVE-2021-46999.json
cad-safe-bot 9d8babeec3 Auto-Update: 2024-07-14T02:00:17.787041+00:00
2024-07-14 02:06:08 +00:00

45 lines
4.6 KiB
JSON
Raw Blame History

{
"id": "CVE-2021-46999",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-02-28T09:15:38.130",
"lastModified": "2024-02-28T14:06:45.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: do asoc update earlier in sctp_sf_do_dupcook_a\n\nThere's a panic that occurs in a few of envs, the call trace is as below:\n\n [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI\n [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]\n [] sctp_assoc_control_transport+0x1b9/0x210 [sctp]\n [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]\n [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]\n [] sctp_do_sm+0xc3/0x2a0 [sctp]\n [] sctp_generate_timeout_event+0x81/0xf0 [sctp]\n\nThis is caused by a transport use-after-free issue. When processing a\nduplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK\nand SHUTDOWN chunks are allocated with the transort from the new asoc.\nHowever, later in the sideeffect machine, the old asoc is used to send\nthem out and old asoc's shutdown_last_sent_to is set to the transport\nthat SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually\nbelongs to the new asoc. After the new_asoc is freed and the old asoc\nT2 timeout, the old asoc's shutdown_last_sent_to that is already freed\nwould be accessed in sctp_sf_t2_timer_expire().\n\nThanks Alexander and Jere for helping dig into this issue.\n\nTo fix it, this patch is to do the asoc update first, then allocate\nthe COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This\nwould make more sense, as a chunk from an asoc shouldn't be sent out\nwith another asoc. We had fixed quite a few issues caused by this."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sctp: haga una actualizaci\u00f3n anterior en sctp_sf_do_dupcook_a Hay un p\u00e1nico que ocurre en algunos de los entornos, el seguimiento de la llamada es el siguiente: [] falla de protecci\u00f3n general, ... 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra. 21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] Esto se debe a un problema de use-after-free del transporte. Al procesar un fragmento COOKIE-ECHO duplicado en sctp_sf_do_dupcook_a(), tanto los fragmentos COOKIE-ACK como SHUTDOWN se asignan con el transort del nuevo asoc. Sin embargo, m\u00e1s adelante en la m\u00e1quina de efectos secundarios, el antiguo asoc se utiliza para enviarlos y el Shutdown_last_sent_to del antiguo asoc se configura en el transporte al que se adjunt\u00f3 el fragmento SHUTDOWN en sctp_cmd_setup_t2(), que en realidad pertenece al nuevo asoc. Despu\u00e9s de que se libera el new_asoc y se agota el tiempo de espera T2 del antiguo asoc, se acceder\u00e1 al Shutdown_last_sent_to del antiguo asoc que ya est\u00e1 liberado en sctp_sf_t2_timer_expire(). Gracias Alexander y Jere por ayudarnos a profundizar en este problema. Para solucionarlo, este parche consiste en realizar primero la actualizaci\u00f3n de asoc y luego asignar los fragmentos COOKIE-ACK y SHUTDOWN con el antiguo asoc 'actualizado'. Esto tendr\u00eda m\u00e1s sentido, ya que un fragmento de una asoc no deber\u00eda enviarse con otra asoc. Hemos solucionado bastantes problemas causados por esto."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bfd913c2121b3d553bfd52810fe6061d542d625",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/35b4f24415c854cd718ccdf38dbea6297f010aae",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/61b877bad9bb0d82b7d8841be50872557090a704",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b1b31948c0af44628e43353828453461bb74098f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d624f2991b977821375fbd56c91b0c91d456a697",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f01988ecf3654f805282dce2d3bb9afe68d2691e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}
Reference in New Issue View Git Blame Copy Permalink