CVE-2021-47400

{"id": "CVE-2021-47400", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.5}]}, "published": "2024-05-21T15:15:25.457", "references": [{"url": "https://git.kernel.org/stable/c/3dac38bdce7932901b9f0b71c62331852c809e61", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5a31d4e73ada8022427b69b10fd1f01a6a8d4b3d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5b09e88e1bf7fe86540fab4b5f3eece8abead39e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f8ba689cb69523144d10606096ef686002dd7285", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3dac38bdce7932901b9f0b71c62331852c809e61", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/5a31d4e73ada8022427b69b10fd1f01a6a8d4b3d", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/5b09e88e1bf7fe86540fab4b5f3eece8abead39e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f8ba689cb69523144d10606096ef686002dd7285", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: do not allow call hns3_nic_net_open repeatedly\n\nhns3_nic_net_open() is not allowed to called repeatly, but there\nis no checking for this. When doing device reset and setup tc\nconcurrently, there is a small oppotunity to call hns3_nic_net_open\nrepeatedly, and cause kernel bug by calling napi_enable twice.\n\nThe calltrace information is like below:\n[ 3078.222780] ------------[ cut here ]------------\n[ 3078.230255] kernel BUG at net/core/dev.c:6991!\n[ 3078.236224] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[ 3078.243431] Modules linked in: hns3 hclgevf hclge hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O)\n[ 3078.258880] CPU: 0 PID: 295 Comm: kworker/u8:5 Tainted: G O 5.14.0-rc4+ #1\n[ 3078.269102] Hardware name: , BIOS KpxxxFPGA 1P B600 V181 08/12/2021\n[ 3078.276801] Workqueue: hclge hclge_service_task [hclge]\n[ 3078.288774] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[ 3078.296168] pc : napi_enable+0x80/0x84\ntc qdisc sho[w 3d0e7v8 .e3t0h218 79] lr : hns3_nic_net_open+0x138/0x510 [hns3]\n\n[ 3078.314771] sp : ffff8000108abb20\n[ 3078.319099] x29: ffff8000108abb20 x28: 0000000000000000 x27: ffff0820a8490300\n[ 3078.329121] x26: 0000000000000001 x25: ffff08209cfc6200 x24: 0000000000000000\n[ 3078.339044] x23: ffff0820a8490300 x22: ffff08209cd76000 x21: ffff0820abfe3880\n[ 3078.349018] x20: 0000000000000000 x19: ffff08209cd76900 x18: 0000000000000000\n[ 3078.358620] x17: 0000000000000000 x16: ffffc816e1727a50 x15: 0000ffff8f4ff930\n[ 3078.368895] x14: 0000000000000000 x13: 0000000000000000 x12: 0000259e9dbeb6b4\n[ 3078.377987] x11: 0096a8f7e764eb40 x10: 634615ad28d3eab5 x9 : ffffc816ad8885b8\n[ 3078.387091] x8 : ffff08209cfc6fb8 x7 : ffff0820ac0da058 x6 : ffff0820a8490344\n[ 3078.396356] x5 : 0000000000000140 x4 : 0000000000000003 x3 : ffff08209cd76938\n[ 3078.405365] x2 : 0000000000000000 x1 : 0000000000000010 x0 : ffff0820abfe38a0\n[ 3078.414657] Call trace:\n[ 3078.418517] napi_enable+0x80/0x84\n[ 3078.424626] hns3_reset_notify_up_enet+0x78/0xd0 [hns3]\n[ 3078.433469] hns3_reset_notify+0x64/0x80 [hns3]\n[ 3078.441430] hclge_notify_client+0x68/0xb0 [hclge]\n[ 3078.450511] hclge_reset_rebuild+0x524/0x884 [hclge]\n[ 3078.458879] hclge_reset_service_task+0x3c4/0x680 [hclge]\n[ 3078.467470] hclge_service_task+0xb0/0xb54 [hclge]\n[ 3078.475675] process_one_work+0x1dc/0x48c\n[ 3078.481888] worker_thread+0x15c/0x464\n[ 3078.487104] kthread+0x160/0x170\n[ 3078.492479] ret_from_fork+0x10/0x18\n[ 3078.498785] Code: c8027c81 35ffffa2 d50323bf d65f03c0 (d4210000)\n[ 3078.506889] ---[ end trace 8ebe0340a1b0fb44 ]---\n\nOnce hns3_nic_net_open() is excute success, the flag\nHNS3_NIC_STATE_DOWN will be cleared. So add checking for this\nflag, directly return when HNS3_NIC_STATE_DOWN is no set."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: hns3: no permitir llamadas repetidas a hns3_nic_net_open. No se permite llamar repetidamente a hns3_nic_net_open(), pero no se puede verificar esto. Al restablecer y configurar tc el dispositivo simult\u00e1neamente, existe una peque\u00f1a oportunidad de llamar a hns3_nic_net_open repetidamente y causar un error en el kernel al llamar a napi_enable dos veces. La informaci\u00f3n del seguimiento de llamadas es la siguiente: [3078.222780] ------------[ cortar aqu\u00ed ]------------ [ 3078.230255] BUG del kernel en net/core/dev. c:6991! [3078.236224] Error interno: Ups - BUG: 0 [#1] SMP PREEMPLEADO [3078.243431] M\u00f3dulos vinculados en: hns3 hclgevf hclge hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [ 3078.258880 CPU : 0 PID: 295 Comunicaciones: kworker/u8 :5 Contaminado: GO 5.14.0-rc4+ #1 [ 3078.269102] Nombre de hardware: , BIOS KpxxxFPGA 1P B600 V181 12/08/2021 [ 3078.276801] Cola de trabajo: hclge hclge_service_task [hclge] [ 3078.288774] pstate: 0009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [ 3078.296168] pc : napi_enable+0x80/0x84 tc qdisc sho[w 3d0e7v8 .e3t0h218 79] lr : hns3_nic_net_open+0x138/0x510 [hns3] [ 3078.314771] sp : 8000108abb20 [3078.319099] x29: ffff8000108abb20 x28: 0000000000000000 x27: ffff0820a8490300 [ 3078.329121] x26: 0000000000000001 x25: ffff08209cfc6200 x24: 00000000000 00000 [ 3078.339044] x23: ffff0820a8490300 x22: ffff08209cd76000 x21: ffff0820abfe3880 [ 3078.349018] x20: 0000000000000000 x19: 00 x18: 0000000000000000 [ 3078.358620] x17: 0000000000000000 x16 : ffffc816e1727a50 x15: 0000ffff8f4ff930 [ 3078.368895] x14: 0000000000000000 x13: 0000000000000000 x12: 0000259e9dbeb6b4 [ 3078.377987] x11: 0096a8f7e764eb40 x10: 634615ad28d3eab5 x9: ffffc816ad8885b8 [3078.387091] x8: ffff08209cfc6fb8 x7: ffff0820ac0da058 x6: ffff0820a8490344 [ 3 078.396356] x5: 0000000000000140 x4: 0000000000000003 x3: ffff08209cd76938 [3078.405365] x2: 0000000000000000 x1: 0000000000000010 x0: ffff0820abfe38a0 [3078.414657] Rastreo de llamadas: [3078.418517] +0x80/0x84 [ 3078.424626] hns3_reset_notify_up_enet+0x78/0xd0 [hns3] [ 3078.433469] hns3_reset_notify+0x64/0x80 [hns3 ] [ 3078.441430] hclge_notify_client+0x68/0xb0 [hclge] [ 3078.450511] hclge_reset_rebuild+0x524/0x884 [hclge] [ 3078.458879] hclge_reset_service_task+0x3c4/0x680 [hclge] 3078.467470] hclge_service_task+0xb0/0xb54 [hclge] [ 3078.475675] proceso_one_work+ 0x1dc/0x48c [ 3078.481888] work_thread+0x15c/0x464 [ 3078.487104] kthread+0x160/0x170 [ 3078.492479] ret_from_fork+0x10/0x18 [ 3078.498785] C\u00f3digo: c81 35ffffa2 d50323bf d65f03c0 (d4210000) [ 3078.506889] ---[ final de seguimiento 8ebe0340a1b0fb44 ] --- Una vez que hns3_nic_net_open() se ejecute correctamente, se borrar\u00e1 el indicador HNS3_NIC_STATE_DOWN. Por lo tanto, agregue la verificaci\u00f3n de este indicador y regrese directamente cuando HNS3_NIC_STATE_DOWN no est\u00e9 configurado."}], "lastModified": "2025-09-25T15:35:04.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B178BD06-0B91-4A7A-B7A1-D512D04B9C79", "versionEndExcluding": "5.4.151", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60C740E4-6C54-40CD-A914-2232D8FC781D", "versionEndExcluding": "5.10.71", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A437B0D-8305-4C72-B691-D26986A126CF", "versionEndExcluding": "5.14.10", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E46C74C6-B76B-4C94-A6A4-FD2FFF62D644"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60134C3A-06E4-48C1-B04F-2903732A4E56"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0460DA88-8FE1-46A2-9DDA-1F1ABA552E71"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}