{
  "threat_severity" : "Moderate",
  "public_date" : "2024-06-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: stmmac: fix tc flower deletion for VLAN priority Rx steering",
    "id" : "2293235",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2293235"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: stmmac: fix tc flower deletion for VLAN priority Rx steering\nTo replicate the issue:-\n1) Add 1 flower filter for VLAN Priority based frame steering:-\n$ IFDEVNAME=eth0\n$ tc qdisc add dev $IFDEVNAME ingress\n$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \\\nmap 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \\\nqueues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0\n$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \\\nflower vlan_prio 0 hw_tc 0\n2) Get the 'pref' id\n$ tc filter show dev $IFDEVNAME ingress\n3) Delete a specific tc flower record (say pref 49151)\n$ tc filter del dev $IFDEVNAME parent ffff: pref 49151\nFrom dmesg, we will observe kernel NULL pointer ooops\n[  197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[  197.171367] #PF: supervisor read access in kernel mode\n[  197.171367] #PF: error_code(0x0000) - not-present page\n[  197.171367] PGD 0 P4D 0\n[  197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI\n<snip>\n[  197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]\n<snip>\n[  197.171367] Call Trace:\n[  197.171367]  <TASK>\n[  197.171367]  ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]\n[  197.171367]  stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]\n[  197.171367]  tc_setup_cb_destroy+0xb3/0x180\n[  197.171367]  fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\nThe above issue is due to previous incorrect implementation of\ntc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()\nto get struct flow_rule *rule which is no longer valid for tc filter\ndelete operation.\nstruct flow_rule *rule = flow_cls_offload_flow_rule(cls);\nstruct flow_dissector *dissector = rule->match.dissector;\nSo, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for\nearlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),\nthis patch introduces stmmac_rfs_entry as driver-side flow_cls_offload\nrecord for 'RX frame steering' tc flower, currently used for VLAN\npriority. The implementation has taken consideration for future extension\nto include other type RX frame steering such as EtherType based.\nv2:\n- Clean up overly extensive backtrace and rewrite git message to better\nexplain the kernel NULL pointer issue.", "A vulnerability was found in the Linux kernel's net component in the stmmac driver, where improper deletion of VLAN priority filters caused a kernel NULL pointer dereference which occurs during the deletion of specific tc flower records, leading to potential system crashes." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2736",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-477.10.1.rt7.274.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:2951",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-477.10.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2148",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9::nfv",
    "package" : "kernel-rt-0:5.14.0-284.11.1.rt14.296.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47592\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47592\nhttps://lore.kernel.org/linux-cve-announce/2024061919-CVE-2021-47592-7ca6@gregkh/T" ],
  "name" : "CVE-2021-47592",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}