CVE-2021-47103

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.16.0-rc5-syzkaller

Description The vulnerability is related to the use of RCU protection in the Linux kernel's inet component without clear documentation. Specifically, the sequences in tcp v4 do rcv() and tcp v6 do rcv() do not follow standard RCU rules, which can lead to a use-after-free error. This occurs because the delete operation of an RCU protected pointer is supposed to clear the pointer before the call rcu()/synchronize rcu() guarding actual memory freeing. In some cases, the dst could be freed before the sk->sk rx dst is set to NULL.

The issue was reported by syzbot and is related to the function dst check in include/net/dst.h and tcp v4 early demux in net/ipv4/tcp ipv4.c. The vulnerability can be exploited to potentially elevate privileges in the system.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, ensure that the kernel version is 5.16.0-rc5-syzkaller or later.

As a temporary workaround, consider disabling the tcp v4 do rcv() and tcp v6 do rcv() functions until a patch is available. However, this may have significant performance implications and should be carefully evaluated before implementation.

It is also recommended to restrict access to the vulnerable dst check function in include/net/dst.h to minimize the risk of exploitation.

Note: The above recommendations are based on the provided input data and may not be comprehensive or applicable in all scenarios. It is essential to consult the official Linux kernel documentation and security advisories for the most up-to-date and accurate information.