Bug 2266421 (CVE-2021-46912) - CVE-2021-46912 kernel: namespace leak into all other net namespaces
Summary: CVE-2021-46912 kernel: namespace leak into all other net namespaces
Status: NEW
Alias: CVE-2021-46912
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2266426
Blocks: 2266369
TreeView+ depends on / blocked
Reported: 2024-02-27 19:16 UTC by Rohit Keshri
Modified: 2024-06-09 16:43 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the network sub-component in the Linux Kernel. The tcp_allowed_congestion_control is global and writable, and writing to it in any net namespace will leak into all other net namespaces.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Rohit Keshri 2024-02-27 19:16:56 UTC
In the Linux kernel, the following vulnerability has been resolved:

net: Make tcp_allowed_congestion_control readonly in non-init netns

Currently, tcp_allowed_congestion_control is global and writable;
writing to it in any net namespace will leak into all other net

tcp_available_congestion_control and tcp_allowed_congestion_control are
the only sysctls in ipv4_net_table (the per-netns sysctl table) with a
NULL data pointer; their handlers (proc_tcp_available_congestion_control
and proc_allowed_congestion_control) have no other way of referencing a
struct net. Thus, they operate globally.

Because ipv4_net_table does not use designated initializers, there is no
easy way to fix up this one "bad" table entry. However, the data pointer
updating logic shouldn't be applied to NULL pointers anyway, so we
instead force these entries to be read-only.

These sysctls used to exist in ipv4_table (init-net only), but they were
moved to the per-net ipv4_net_table, presumably without realizing that
tcp_allowed_congestion_control was writable and thus introduced a leak.

Because the intent of that commit was only to know (i.e. read) "which
congestion algorithms are available or allowed", this read-only solution
should be sufficient.

The logic added in recent commit
31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls")
does not and cannot check for NULL data pointers, because
other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have
.data=NULL but use other methods (.extra2) to access the struct net.


Comment 1 Rohit Keshri 2024-02-27 19:36:23 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2266426]

Comment 3 Justin M. Forbes 2024-02-27 23:04:24 UTC
This was fixed for Fedora with the 5.11.16 stable kernel updates.

Comment 7 Alex 2024-06-09 16:43:49 UTC
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2021-46912 is: CHECK	Maybe valid. Check manually. with impact LOW (that is an approximation based on flags REMOTE INIT LEAK NETWORK IMPROVEONLY  ; these flags parsed automatically based on patch data). Such automatic check happens only for Low/Moderates (and only when not from reporter, but parsing already existing CVE). Highs always checked manually (I check it myself and then we check it again in Remediation team). In rare cases some of the Moderates could be increased to High later.

Note You need to log in before you can comment on or make changes to this bug.