Bug 1976946 (CVE-2021-3635) - CVE-2021-3635 kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50
Summary: CVE-2021-3635 kernel: flowtable list del corruption with kernel BUG at lib/li...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3635
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1977137 1977138 1990729
Blocks: 1974858 1978820
TreeView+ depends on / blocked
 
Reported: 2021-06-28 15:49 UTC by Pedro Sampaio
Modified: 2021-11-09 21:52 UTC (History)
50 users (show)

Fixed In Version: kernel 5.5-rc7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel netfilter implementation. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands
Clone Of:
Environment:
Last Closed: 2021-11-09 21:52:12 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4140 0 None None None 2021-11-09 17:23:50 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 18:27:44 UTC

Description Pedro Sampaio 2021-06-28 15:49:51 UTC 
A flaw was found in the Linux kernels netfilter implementation. A missing generation check during DELTABLE processing causes it to queue the DELFLOWTABLE operation a second time possibly leading to data corruption and denial of service.  An attacker must have either root or CAP_SYS_ADMIN capabilities to exploit this flaw.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1974543
Comment 2 Wade Mealing 2021-06-29 04:07:16 UTC 
This is rated as a Low, as you must be root or cap_sys_admin with a local account to be able to create the exploitable condition.
Comment 8 Wade Mealing 2021-08-06 05:10:29 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1990729]
Comment 9 Gianluca Gabrielli 2021-08-27 12:41:40 UTC 
Hi folks,

could you please open 1974543 to the public? I cannot find details about this bug anywhere.

Thanks
Comment 10 Salvatore Bonaccorso 2021-09-12 19:03:25 UTC 
Hi Gianluca,

(In reply to Gianluca Gabrielli from comment #9)
> Hi folks,
> 
> could you please open 1974543 to the public? I cannot find details about
> this bug anywhere.
> 
> Thanks

External to Red Hat here, but was searching as well for some information about this CVE. I suspect this is about the upstream commit https://git.kernel.org/linus/335178d5429c4cee61b58f4ac80688f556630818


Regards,
Salvatore
Comment 11 Wade Mealing 2021-09-13 02:48:44 UTC 
The BZ #1974543 is an internal tracking bug, and contains no information relevant to this flaw.
Comment 13 Gianluca Gabrielli 2021-09-16 12:51:29 UTC 
(In reply to Salvatore Bonaccorso from comment #10)
> Hi Gianluca,
> 
> (In reply to Gianluca Gabrielli from comment #9)
> > Hi folks,
> > 
> > could you please open 1974543 to the public? I cannot find details about
> > this bug anywhere.
> > 
> > Thanks
> 
> External to Red Hat here, but was searching as well for some information
> about this CVE. I suspect this is about the upstream commit
> https://git.kernel.org/linus/335178d5429c4cee61b58f4ac80688f556630818

Yes, it really seems the right one. Nice catch and thanks for having shared it.
Comment 14 Justin M. Forbes 2021-11-05 15:58:42 UTC 
This was fixed for Fedora with the 5.4.14 stable kernel updates.
Comment 15 errata-xmlrpc 2021-11-09 17:23:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
Comment 16 errata-xmlrpc 2021-11-09 18:27:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356
Comment 17 Product Security DevOps Team 2021-11-09 21:52:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3635
Note You need to log in before you can comment on or make changes to this bug.