{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-21T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: netfilter: conntrack: serialize hash resizes and cleanups",
    "id" : "2282328",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2282328"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-667",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: conntrack: serialize hash resizes and cleanups\nSyzbot was able to trigger the following warning [1]\nNo repro found by syzbot yet but I was able to trigger similar issue\nby having 2 scripts running in parallel, changing conntrack hash sizes,\nand:\nfor j in `seq 1 1000` ; do unshare -n /bin/true >/dev/null ; done\nIt would take more than 5 minutes for net_namespace structures\nto be cleaned up.\nThis is because nf_ct_iterate_cleanup() has to restart everytime\na resize happened.\nBy adding a mutex, we can serialize hash resizes and cleanups\nand also make get_next_corpse() faster by skipping over empty\nbuckets.\nEven without resizes in the picture, this patch considerably\nspeeds up network namespace dismantles.\n[1]\nINFO: task syz-executor.0:8312 can't die for more than 144 seconds.\ntask:syz-executor.0  state:R  running task     stack:25672 pid: 8312 ppid:  6573 flags:0x00004006\nCall Trace:\ncontext_switch kernel/sched/core.c:4955 [inline]\n__schedule+0x940/0x26f0 kernel/sched/core.c:6236\npreempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408\npreempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35\n__local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390\nlocal_bh_enable include/linux/bottom_half.h:32 [inline]\nget_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline]\nnf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275\nnf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469\nops_exit_list+0x10d/0x160 net/core/net_namespace.c:171\nsetup_net+0x639/0xa30 net/core/net_namespace.c:349\ncopy_net_ns+0x319/0x760 net/core/net_namespace.c:470\ncreate_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110\nunshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226\nksys_unshare+0x445/0x920 kernel/fork.c:3128\n__do_sys_unshare kernel/fork.c:3202 [inline]\n__se_sys_unshare kernel/fork.c:3200 [inline]\n__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f63da68e739\nRSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110\nRAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000\nRBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80\nR13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000\nShowing all locks held in the system:\n1 lock held by khungtaskd/27:\n#0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446\n2 locks held by kworker/u4:2/153:\n#0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]\n#0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline]\n#0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline]\n#0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline]\n#0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline]\n#0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268\n#1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272\n1 lock held by systemd-udevd/2970:\n1 lock held by in:imklog/6258:\n#0: ffff88807f970ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990\n3 locks held by kworker/1:6/8158:\n1 lock held by syz-executor.0/8312:\n2 locks held by kworker/u4:13/9320:\n1 lock held by\n---truncated---", "A vulnerability was found in the Linux kernel’s netfilter and conntrack module, occurring during the resizing and cleanup of hash tables used for connection tracking. The kernel's nf_ct_iterate_cleanup() function fails to efficiently handle simultaneous hash resizes and cleanups, leading to prolonged delays lead to unresponsive system behavior." ],
  "statement" : "This vulnerability is rated as a moderate severity because it impacts on system availability rather than data security, affects system performance and responsiveness, particularly during cleanup operations under high load conditions",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5102",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5101",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.16.1.el8_10"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47408\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47408\nhttps://lore.kernel.org/linux-cve-announce/2024052151-CVE-2021-47408-ad88@gregkh/T" ],
  "name" : "CVE-2021-47408",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}