We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2021-46955

openvswitch: fix stack OOB read while fragmenting IPv4 packets



Description

In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below.

Reserved 2024-02-27 | Published 2024-02-27 | Updated 2024-12-19 | Assigner Linux

Product status

Default status
unaffected

119bbaa6795a4f4aed46994cc7d9ab01989c87e3 before b1d7280f9ba1bfdbc3af5bdb82e51f014854f26f
affected

d543907a4730400f5c5b684c57cb5bbbfd6136ab before 23e17ec1a5eb53fe39cc34fa5592686d5acd0dac
affected

8387fbac8e18e26a60559adc63e0b7067303b0a4 before 5a52fa8ad45b5a593ed416adf326538638454ff1
affected

d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 before df9e900de24637be41879e2c50afb713ec4e8b2e
affected

d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 before 490ad0a2390442d0a7b8c00972a83dbb09cab142
affected

d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 before a1478374b0bda89b4277a8afd39208271faad4be
affected

d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 before d841d3cf5297fde4ce6a41ff35451d0e82917f3e
affected

d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 before b3502b04e84ac5349be95fc033c17bd701d2787a
affected

d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 before 7c0ea5930c1c211931819d83cfb157bff1539a4c
affected

Default status
affected

4.16
affected

Any version before 4.16
unaffected

4.4.269
unaffected

4.9.269
unaffected

4.14.233
unaffected

4.19.191
unaffected

5.4.118
unaffected

5.10.36
unaffected

5.11.20
unaffected

5.12.3
unaffected

5.13
unaffected

References

git.kernel.org/...c/b1d7280f9ba1bfdbc3af5bdb82e51f014854f26f

git.kernel.org/...c/23e17ec1a5eb53fe39cc34fa5592686d5acd0dac

git.kernel.org/...c/5a52fa8ad45b5a593ed416adf326538638454ff1

git.kernel.org/...c/df9e900de24637be41879e2c50afb713ec4e8b2e

git.kernel.org/...c/490ad0a2390442d0a7b8c00972a83dbb09cab142

git.kernel.org/...c/a1478374b0bda89b4277a8afd39208271faad4be

git.kernel.org/...c/d841d3cf5297fde4ce6a41ff35451d0e82917f3e

git.kernel.org/...c/b3502b04e84ac5349be95fc033c17bd701d2787a

git.kernel.org/...c/7c0ea5930c1c211931819d83cfb157bff1539a4c

cve.org (CVE-2021-46955)

nvd.nist.gov (CVE-2021-46955)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2021-46955

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.