CVE-2021-47451 (GCVE-0-2021-47451)

Vulnerability from cvelistv5 – Published: 2024-05-22 06:19 – Updated: 2026-05-11 13:54
VLAI
Title
netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value
Summary
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Currently, when the rule related to IDLETIMER is added, idletimer_tg timer structure is initialized by kmalloc on executing idletimer_tg_create function. However, in this process timer->timer_type is not defined to a specific value. Thus, timer->timer_type has garbage value and it occurs kernel panic. So, this commit fixes the panic by initializing timer->timer_type using kzalloc instead of kmalloc. Test commands: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed Splat looks like: BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70 Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] dev_attr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? device_remove_bin_file+0x20/0x20 kernfs_seq_show+0xa4/0xb0 seq_read_iter+0x29c/0x750 kernfs_fop_read_iter+0x25a/0x2c0 ? __fsnotify_parent+0x3d1/0x570 ? iov_iter_init+0x70/0x90 new_sync_read+0x2a7/0x3d0 ? __x64_sys_llseek+0x230/0x230 ? rw_verify_area+0x81/0x150 vfs_read+0x17b/0x240 ksys_read+0xd9/0x180 ? vfs_write+0x460/0x460 ? do_syscall_64+0x16/0xc0 ? lockdep_hardirqs_on+0x79/0x120 __x64_sys_read+0x43/0x50 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 2a670c323055282c9b72794a491d53cef86bbeaf (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < cae7cab804c943d723d52724a3aeb07a3f4a2650 (git)
Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 902c0b1887522a099aa4e1e6b4b476c2fe5dd13e (git)
Create a notification for this product.
Linux Linux Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.76 , ≤ 5.10.* (semver)
Unaffected: 5.14.15 , ≤ 5.14.* (semver)
Unaffected: 5.15 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47451",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-24T19:25:32.208577Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:14:53.967Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.385Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a670c323055282c9b72794a491d53cef86bbeaf",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "cae7cab804c943d723d52724a3aeb07a3f4a2650",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "902c0b1887522a099aa4e1e6b4b476c2fe5dd13e",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.14.*",
              "status": "unaffected",
              "version": "5.14.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.76",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.14.15",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\n\nCurrently, when the rule related to IDLETIMER is added, idletimer_tg timer\nstructure is initialized by kmalloc on executing idletimer_tg_create\nfunction. However, in this process timer-\u003etimer_type is not defined to\na specific value. Thus, timer-\u003etimer_type has garbage value and it occurs\nkernel panic. So, this commit fixes the panic by initializing\ntimer-\u003etimer_type using kzalloc instead of kmalloc.\n\nTest commands:\n    # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test\n    $ cat /sys/class/xt_idletimer/timers/test\n      Killed\n\nSplat looks like:\n    BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70\n    Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917\n    CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n    Call Trace:\n     dump_stack_lvl+0x6e/0x9c\n     kasan_report.cold+0x112/0x117\n     ? alarm_expires_remaining+0x49/0x70\n     __asan_load8+0x86/0xb0\n     alarm_expires_remaining+0x49/0x70\n     idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]\n     dev_attr_show+0x3c/0x60\n     sysfs_kf_seq_show+0x11d/0x1f0\n     ? device_remove_bin_file+0x20/0x20\n     kernfs_seq_show+0xa4/0xb0\n     seq_read_iter+0x29c/0x750\n     kernfs_fop_read_iter+0x25a/0x2c0\n     ? __fsnotify_parent+0x3d1/0x570\n     ? iov_iter_init+0x70/0x90\n     new_sync_read+0x2a7/0x3d0\n     ? __x64_sys_llseek+0x230/0x230\n     ? rw_verify_area+0x81/0x150\n     vfs_read+0x17b/0x240\n     ksys_read+0xd9/0x180\n     ? vfs_write+0x460/0x460\n     ? do_syscall_64+0x16/0xc0\n     ? lockdep_hardirqs_on+0x79/0x120\n     __x64_sys_read+0x43/0x50\n     do_syscall_64+0x3b/0xc0\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n    RIP: 0033:0x7f0cdc819142\n    Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n    RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n    RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142\n    RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003\n    RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000\n    R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0\n    R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T13:54:57.694Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf"
        },
        {
          "url": "https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650"
        },
        {
          "url": "https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e"
        }
      ],
      "title": "netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47451",
    "datePublished": "2024-05-22T06:19:42.082Z",
    "dateReserved": "2024-05-21T14:58:30.832Z",
    "dateUpdated": "2026-05-11T13:54:57.694Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-47451",
      "date": "2026-06-10",
      "epss": "0.00015",
      "percentile": "0.03301"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\\n\\nCurrently, when the rule related to IDLETIMER is added, idletimer_tg timer\\nstructure is initialized by kmalloc on executing idletimer_tg_create\\nfunction. However, in this process timer-\u003etimer_type is not defined to\\na specific value. Thus, timer-\u003etimer_type has garbage value and it occurs\\nkernel panic. So, this commit fixes the panic by initializing\\ntimer-\u003etimer_type using kzalloc instead of kmalloc.\\n\\nTest commands:\\n    # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test\\n    $ cat /sys/class/xt_idletimer/timers/test\\n      Killed\\n\\nSplat looks like:\\n    BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70\\n    Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917\\n    CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e\\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\\n    Call Trace:\\n     dump_stack_lvl+0x6e/0x9c\\n     kasan_report.cold+0x112/0x117\\n     ? alarm_expires_remaining+0x49/0x70\\n     __asan_load8+0x86/0xb0\\n     alarm_expires_remaining+0x49/0x70\\n     idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]\\n     dev_attr_show+0x3c/0x60\\n     sysfs_kf_seq_show+0x11d/0x1f0\\n     ? device_remove_bin_file+0x20/0x20\\n     kernfs_seq_show+0xa4/0xb0\\n     seq_read_iter+0x29c/0x750\\n     kernfs_fop_read_iter+0x25a/0x2c0\\n     ? __fsnotify_parent+0x3d1/0x570\\n     ? iov_iter_init+0x70/0x90\\n     new_sync_read+0x2a7/0x3d0\\n     ? __x64_sys_llseek+0x230/0x230\\n     ? rw_verify_area+0x81/0x150\\n     vfs_read+0x17b/0x240\\n     ksys_read+0xd9/0x180\\n     ? vfs_write+0x460/0x460\\n     ? do_syscall_64+0x16/0xc0\\n     ? lockdep_hardirqs_on+0x79/0x120\\n     __x64_sys_read+0x43/0x50\\n     do_syscall_64+0x3b/0xc0\\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\\n    RIP: 0033:0x7f0cdc819142\\n    Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\\n    RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\\n    RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142\\n    RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003\\n    RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000\\n    R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0\\n    R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: xt_IDLETIMER: corrige el p\\u00e1nico que ocurre cuando timer_type tiene valor basura Actualmente, cuando se agrega la regla relacionada con IDLETIMER, kmalloc inicializa la estructura del temporizador idletimer_tg al ejecutar la funci\\u00f3n idletimer_tg_create. Sin embargo, en este proceso timer-\u0026gt;timer_type no est\\u00e1 definido en un valor espec\\u00edfico. Por lo tanto, timer-\u0026gt;timer_type tiene un valor basura y se produce un p\\u00e1nico en el kernel. Entonces, esta confirmaci\\u00f3n soluciona el p\\u00e1nico al inicializar timer-\u0026gt;timer_type usando kzalloc en lugar de kmalloc. Comandos de prueba: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed Splat se ve as\\u00ed: ERROR: KASAN: acceso a memoria de usuario en alarm_expires_remaining+0x49/ 0x70 Lectura del tama\\u00f1o 8 en la direcci\\u00f3n 0000002e8c7bc4c8 por tarea cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Nombre del hardware: PC est\\u00e1ndar QEMU (Q35 + ICH9, 009), BIOS 1.13.0- 1ubuntu1.1 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] tr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? device_remove_bin_file+0x20/0x20 kernfs_seq_show+0xa4/0xb0 seq_read_iter+0x29c/0x750 kernfs_fop_read_iter+0x25a/0x2c0 ? __fsnotify_parent+0x3d1/0x570? iov_iter_init+0x70/0x90 new_sync_read+0x2a7/0x3d0? __x64_sys_llseek+0x230/0x230 ? rw_verify_area+0x81/0x150 vfs_read+0x17b/0x240 ksys_read+0xd9/0x180 ? vfs_write+0x460/0x460? do_syscall_64+0x16/0xc0? lockdep_hardirqs_on+0x79/0x120 __x64_sys_read+0x43/0x50 do_syscall_64+0x3b/0xc0 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 C\\u00f3digo: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u0026lt;48\u0026gt; 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: :00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc03200 0 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 00000000000000246 R 12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\"}]",
      "id": "CVE-2021-47451",
      "lastModified": "2024-11-21T06:36:10.437",
      "published": "2024-05-22T07:15:10.220",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47451\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-22T07:15:10.220\",\"lastModified\":\"2025-09-24T01:18:15.240\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\\n\\nCurrently, when the rule related to IDLETIMER is added, idletimer_tg timer\\nstructure is initialized by kmalloc on executing idletimer_tg_create\\nfunction. However, in this process timer-\u003etimer_type is not defined to\\na specific value. Thus, timer-\u003etimer_type has garbage value and it occurs\\nkernel panic. So, this commit fixes the panic by initializing\\ntimer-\u003etimer_type using kzalloc instead of kmalloc.\\n\\nTest commands:\\n    # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test\\n    $ cat /sys/class/xt_idletimer/timers/test\\n      Killed\\n\\nSplat looks like:\\n    BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70\\n    Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917\\n    CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e\\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\\n    Call Trace:\\n     dump_stack_lvl+0x6e/0x9c\\n     kasan_report.cold+0x112/0x117\\n     ? alarm_expires_remaining+0x49/0x70\\n     __asan_load8+0x86/0xb0\\n     alarm_expires_remaining+0x49/0x70\\n     idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]\\n     dev_attr_show+0x3c/0x60\\n     sysfs_kf_seq_show+0x11d/0x1f0\\n     ? device_remove_bin_file+0x20/0x20\\n     kernfs_seq_show+0xa4/0xb0\\n     seq_read_iter+0x29c/0x750\\n     kernfs_fop_read_iter+0x25a/0x2c0\\n     ? __fsnotify_parent+0x3d1/0x570\\n     ? iov_iter_init+0x70/0x90\\n     new_sync_read+0x2a7/0x3d0\\n     ? __x64_sys_llseek+0x230/0x230\\n     ? rw_verify_area+0x81/0x150\\n     vfs_read+0x17b/0x240\\n     ksys_read+0xd9/0x180\\n     ? vfs_write+0x460/0x460\\n     ? do_syscall_64+0x16/0xc0\\n     ? lockdep_hardirqs_on+0x79/0x120\\n     __x64_sys_read+0x43/0x50\\n     do_syscall_64+0x3b/0xc0\\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\\n    RIP: 0033:0x7f0cdc819142\\n    Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\\n    RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\\n    RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142\\n    RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003\\n    RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000\\n    R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0\\n    R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: xt_IDLETIMER: corrige el p\u00e1nico que ocurre cuando timer_type tiene valor basura Actualmente, cuando se agrega la regla relacionada con IDLETIMER, kmalloc inicializa la estructura del temporizador idletimer_tg al ejecutar la funci\u00f3n idletimer_tg_create. Sin embargo, en este proceso timer-\u0026gt;timer_type no est\u00e1 definido en un valor espec\u00edfico. Por lo tanto, timer-\u0026gt;timer_type tiene un valor basura y se produce un p\u00e1nico en el kernel. Entonces, esta confirmaci\u00f3n soluciona el p\u00e1nico al inicializar timer-\u0026gt;timer_type usando kzalloc en lugar de kmalloc. Comandos de prueba: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed Splat se ve as\u00ed: ERROR: KASAN: acceso a memoria de usuario en alarm_expires_remaining+0x49/ 0x70 Lectura del tama\u00f1o 8 en la direcci\u00f3n 0000002e8c7bc4c8 por tarea cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 009), BIOS 1.13.0- 1ubuntu1.1 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] tr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? device_remove_bin_file+0x20/0x20 kernfs_seq_show+0xa4/0xb0 seq_read_iter+0x29c/0x750 kernfs_fop_read_iter+0x25a/0x2c0 ? __fsnotify_parent+0x3d1/0x570? iov_iter_init+0x70/0x90 new_sync_read+0x2a7/0x3d0? __x64_sys_llseek+0x230/0x230 ? rw_verify_area+0x81/0x150 vfs_read+0x17b/0x240 ksys_read+0xd9/0x180 ? vfs_write+0x460/0x460? do_syscall_64+0x16/0xc0? lockdep_hardirqs_on+0x79/0x120 __x64_sys_read+0x43/0x50 do_syscall_64+0x3b/0xc0 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 C\u00f3digo: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u0026lt;48\u0026gt; 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: :00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc03200 0 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 00000000000000246 R 12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.7\",\"versionEndExcluding\":\"5.10.76\",\"matchCriteriaId\":\"337EB464-BC23-4BF5-B901-A933B3ABA6A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.14.15\",\"matchCriteriaId\":\"63BD46C4-473F-45F9-93E9-F67D955321D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E46C74C6-B76B-4C94-A6A4-FD2FFF62D644\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"60134C3A-06E4-48C1-B04F-2903732A4E56\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"0460DA88-8FE1-46A2-9DDA-1F1ABA552E71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF55383D-4DF2-45DC-93F7-571F4F978EAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E9481B2-8AA6-4CBD-B5D3-C10F51FF6D01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"EBD45831-4B79-42BC-ABC0-86870F0DEA89\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:39:59.385Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47451\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-24T19:25:32.208577Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-24T19:25:37.508Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"68983a354a655c35d3fb204489d383a2a051fda7\", \"lessThan\": \"2a670c323055282c9b72794a491d53cef86bbeaf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"68983a354a655c35d3fb204489d383a2a051fda7\", \"lessThan\": \"cae7cab804c943d723d52724a3aeb07a3f4a2650\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"68983a354a655c35d3fb204489d383a2a051fda7\", \"lessThan\": \"902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\", \"versionType\": \"git\"}], \"programFiles\": [\"net/netfilter/xt_IDLETIMER.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.7\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.7\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.10.76\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.14.15\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.14.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/netfilter/xt_IDLETIMER.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/2a670c323055282c9b72794a491d53cef86bbeaf\"}, {\"url\": \"https://git.kernel.org/stable/c/cae7cab804c943d723d52724a3aeb07a3f4a2650\"}, {\"url\": \"https://git.kernel.org/stable/c/902c0b1887522a099aa4e1e6b4b476c2fe5dd13e\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value\\n\\nCurrently, when the rule related to IDLETIMER is added, idletimer_tg timer\\nstructure is initialized by kmalloc on executing idletimer_tg_create\\nfunction. However, in this process timer-\u003etimer_type is not defined to\\na specific value. Thus, timer-\u003etimer_type has garbage value and it occurs\\nkernel panic. So, this commit fixes the panic by initializing\\ntimer-\u003etimer_type using kzalloc instead of kmalloc.\\n\\nTest commands:\\n    # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test\\n    $ cat /sys/class/xt_idletimer/timers/test\\n      Killed\\n\\nSplat looks like:\\n    BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70\\n    Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917\\n    CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e\\n    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\\n    Call Trace:\\n     dump_stack_lvl+0x6e/0x9c\\n     kasan_report.cold+0x112/0x117\\n     ? alarm_expires_remaining+0x49/0x70\\n     __asan_load8+0x86/0xb0\\n     alarm_expires_remaining+0x49/0x70\\n     idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d]\\n     dev_attr_show+0x3c/0x60\\n     sysfs_kf_seq_show+0x11d/0x1f0\\n     ? device_remove_bin_file+0x20/0x20\\n     kernfs_seq_show+0xa4/0xb0\\n     seq_read_iter+0x29c/0x750\\n     kernfs_fop_read_iter+0x25a/0x2c0\\n     ? __fsnotify_parent+0x3d1/0x570\\n     ? iov_iter_init+0x70/0x90\\n     new_sync_read+0x2a7/0x3d0\\n     ? __x64_sys_llseek+0x230/0x230\\n     ? rw_verify_area+0x81/0x150\\n     vfs_read+0x17b/0x240\\n     ksys_read+0xd9/0x180\\n     ? vfs_write+0x460/0x460\\n     ? do_syscall_64+0x16/0xc0\\n     ? lockdep_hardirqs_on+0x79/0x120\\n     __x64_sys_read+0x43/0x50\\n     do_syscall_64+0x3b/0xc0\\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\\n    RIP: 0033:0x7f0cdc819142\\n    Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\\n    RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\\n    RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142\\n    RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003\\n    RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000\\n    R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0\\n    R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.76\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.14.15\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15\", \"versionStartIncluding\": \"5.7\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T07:11:13.363Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47451\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T07:11:13.363Z\", \"dateReserved\": \"2024-05-21T14:58:30.832Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-22T06:19:42.082Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.