{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: nexthop: fix null pointer dereference when IPv6 is not enabled",
    "id" : "2283457",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2283457"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: nexthop: fix null pointer dereference when IPv6 is not enabled\nWhen we try to add an IPv6 nexthop and IPv6 is not enabled\n(!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path\nof nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug\nhas been present since the beginning of IPv6 nexthop gateway support.\nCommit 1aefd3de7bc6 (\"ipv6: Add fib6_nh_init and release to stubs\") tells\nus that only fib6_nh_init has a dummy stub because fib6_nh_release should\nnot be called if fib6_nh_init returns an error, but the commit below added\na call to ipv6_stub->fib6_nh_release in its error path. To fix it return\nthe dummy stub's -EAFNOSUPPORT error directly without calling\nipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path.\n[1]\nOutput is a bit truncated, but it clearly shows the error.\nBUG: kernel NULL pointer dereference, address: 000000000000000000\n#PF: supervisor instruction fetch in kernel modede\n#PF: error_code(0x0010) - not-present pagege\nPGD 0 P4D 0\nOops: 0010 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at RIP 0xffffffffffffffd6.\nRSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac\nRAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860\nRBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f\nR13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840\nFS:  00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0\nCall Trace:\n<TASK>\nnh_create_ipv6+0xed/0x10c\nrtm_new_nexthop+0x6d7/0x13f3\n? check_preemption_disabled+0x3d/0xf2\n? lock_is_held_type+0xbe/0xfd\nrtnetlink_rcv_msg+0x23f/0x26a\n? check_preemption_disabled+0x3d/0xf2\n? rtnl_calcit.isra.0+0x147/0x147\nnetlink_rcv_skb+0x61/0xb2\nnetlink_unicast+0x100/0x187\nnetlink_sendmsg+0x37f/0x3a0\n? netlink_unicast+0x187/0x187\nsock_sendmsg_nosec+0x67/0x9b\n____sys_sendmsg+0x19d/0x1f9\n? copy_msghdr_from_user+0x4c/0x5e\n? rcu_read_lock_any_held+0x2a/0x78\n___sys_sendmsg+0x6c/0x8c\n? asm_sysvec_apic_timer_interrupt+0x12/0x20\n? lockdep_hardirqs_on+0xd9/0x102\n? sockfd_lookup_light+0x69/0x99\n__sys_sendmsg+0x50/0x6e\ndo_syscall_64+0xcb/0xf2\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f98dea28914\nCode: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53\nRSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e\nRAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914\nRDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008\nR10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001\nR13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0\n</TASK>\nModules linked in: bridge stp llc bonding virtio_net" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47572\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47572\nhttps://lore.kernel.org/linux-cve-announce/2024052454-CVE-2021-47572-50bc@gregkh/T" ],
  "name" : "CVE-2021-47572",
  "csaw" : false
}