CVE-2021-47162

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue arises when appending a fragment skb to a skb's frag list that already contains skbs from other sources. This can lead to use-after-free crashes, as the appended frag skb is seen by multiple skbs but only gets skb get called once. The problem occurs when a skb is created by pskb copy() where the frag list is cloned and shared among multiple skbs, or when a skb is updated by pskb may pull() with a skb cloned skb. Li Shuang has reported several crashes caused by this issue during testing on macvlan devices. The patch resolves this by linearizing the head skb if it has a frag list set in tipc buf append(), avoiding skb copy() by calling skb linearize() before skb unshare().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.