Bug 1195184 - (CVE-2021-22600) VUL-0: CVE-2021-22600: kernel-source,kernel-source-rt,kernel-source-azure: A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service
(CVE-2021-22600)
VUL-0: CVE-2021-22600: kernel-source,kernel-source-rt,kernel-source-azure: A ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/321782/
CVSSv3.1:SUSE:CVE-2021-22600:8.4:(AV:...
:
Depends on:
Blocks: 1195307
  Show dependency treegraph
 
Reported: 2022-01-27 08:20 UTC by Robert Frohl
Modified: 2022-07-21 20:27 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
reproducer (2.61 KB, patch)
2022-02-15 14:16 UTC, Marcos de Souza
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-01-27 08:20:39 UTC
CVE-2021-22600

A double free bug in packet_set_ring() in net/packet/af_packet.c can be
exploited by a local user through crafted syscalls to escalate privileges or
deny service. We recommend upgrading kernel past the effected versions or
rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22600
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ec6af094ea28f0f2dda1a6a33b14cd57e36a9755
Comment 1 Robert Frohl 2022-01-27 08:24:05 UTC
from ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

> Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition")

introduced with v5.6, fixed with v5.16
Comment 2 Robert Frohl 2022-01-27 08:46:32 UTC
(In reply to Robert Frohl from comment #1)
> introduced with v5.6, fixed with v5.16

Looks like it was backported by us, can find it in v5.3 too. 

Tracking SLE15-SP2, SLE15-SP3 and SLE15-SP4 as affected. Please confirm or let me know if I missed anything.
Comment 5 Thomas Bogendoerfer 2022-02-02 09:43:44 UTC
Fix is present in all affected branches:

SLE15-SP2-LTSS       ef975a840b2a
SLE15-SP3            ef975a840b2a
SLE15-SP4            f89a0b7e8360
cve/linux-5.3        ef975a840b2a

Reassigning back to the security team.
Comment 15 Swamp Workflow Management 2022-02-10 20:26:00 UTC
openSUSE-SU-2022:0363-1: An update that solves 12 vulnerabilities and has 20 fixes is now available.

Category: security (critical)
Bug References: 1154353,1154488,1160634,1176447,1177599,1183405,1185377,1187428,1187723,1188605,1191881,1193096,1193506,1193767,1193802,1193861,1193864,1193867,1194048,1194227,1194291,1194880,1195009,1195062,1195065,1195073,1195183,1195184,1195254,1195267,1195293,1195371
CVE References: CVE-2020-28097,CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-39685,CVE-2021-4159,CVE-2021-44733,CVE-2021-45095,CVE-2022-0286,CVE-2022-0330,CVE-2022-0435,CVE-2022-22942
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.40.4, kernel-source-azure-5.3.18-150300.38.40.4, kernel-syms-azure-5.3.18-150300.38.40.1
Comment 16 Swamp Workflow Management 2022-02-10 20:32:07 UTC
SUSE-SU-2022:0365-1: An update that solves 7 vulnerabilities and has 9 fixes is now available.

Category: security (critical)
Bug References: 1177599,1183405,1185377,1188605,1193096,1193506,1193861,1193864,1193867,1194048,1194227,1194880,1195009,1195065,1195184,1195254
CVE References: CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-45095,CVE-2022-0330,CVE-2022-0435,CVE-2022-22942
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-obs-build-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Manager Retail Branch Server 4.1 (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Manager Proxy 4.1 (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-obs-build-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-obs-build-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-24.102.1, kernel-livepatch-SLE15-SP2_Update_24-1-5.3.1
SUSE Linux Enterprise Micro 5.0 (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-obs-build-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-obs-build-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-24.102.1
SUSE Enterprise Storage 7 (src):    kernel-default-5.3.18-24.102.1, kernel-default-base-5.3.18-24.102.1.9.48.1, kernel-docs-5.3.18-24.102.1, kernel-obs-build-5.3.18-24.102.1, kernel-preempt-5.3.18-24.102.1, kernel-source-5.3.18-24.102.1, kernel-syms-5.3.18-24.102.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-02-10 20:35:21 UTC
SUSE-SU-2022:0363-1: An update that solves 12 vulnerabilities and has 20 fixes is now available.

Category: security (critical)
Bug References: 1154353,1154488,1160634,1176447,1177599,1183405,1185377,1187428,1187723,1188605,1191881,1193096,1193506,1193767,1193802,1193861,1193864,1193867,1194048,1194227,1194291,1194880,1195009,1195062,1195065,1195073,1195183,1195184,1195254,1195267,1195293,1195371
CVE References: CVE-2020-28097,CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-39685,CVE-2021-4159,CVE-2021-44733,CVE-2021-45095,CVE-2022-0286,CVE-2022-0330,CVE-2022-0435,CVE-2022-22942
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.40.4, kernel-source-azure-5.3.18-150300.38.40.4, kernel-syms-azure-5.3.18-150300.38.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-02-11 11:22:01 UTC
SUSE-SU-2022:0370-1: An update that solves 11 vulnerabilities and has 29 fixes is now available.

Category: security (critical)
Bug References: 1154353,1154488,1156395,1160634,1176447,1177599,1183405,1185377,1187428,1187723,1188605,1191881,1193096,1193506,1193767,1193802,1193861,1193864,1193867,1194048,1194227,1194291,1194880,1195009,1195062,1195065,1195073,1195183,1195184,1195254,1195267,1195293,1195371,1195476,1195477,1195478,1195479,1195480,1195481,1195482
CVE References: CVE-2020-28097,CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-39685,CVE-2021-44733,CVE-2021-45095,CVE-2022-0286,CVE-2022-0330,CVE-2022-0435,CVE-2022-22942
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.49.1, kernel-preempt-5.3.18-150300.59.49.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.49.1, kernel-livepatch-SLE15-SP3_Update_14-1-150300.7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.49.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.49.1, kernel-obs-build-5.3.18-150300.59.49.1, kernel-preempt-5.3.18-150300.59.49.1, kernel-source-5.3.18-150300.59.49.1, kernel-syms-5.3.18-150300.59.49.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.49.1, kernel-default-5.3.18-150300.59.49.1, kernel-default-base-5.3.18-150300.59.49.1.150300.18.31.1, kernel-preempt-5.3.18-150300.59.49.1, kernel-source-5.3.18-150300.59.49.1, kernel-zfcpdump-5.3.18-150300.59.49.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.49.1, kernel-default-base-5.3.18-150300.59.49.1.150300.18.31.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-02-11 11:26:08 UTC
openSUSE-SU-2022:0370-1: An update that solves 11 vulnerabilities and has 29 fixes is now available.

Category: security (critical)
Bug References: 1154353,1154488,1156395,1160634,1176447,1177599,1183405,1185377,1187428,1187723,1188605,1191881,1193096,1193506,1193767,1193802,1193861,1193864,1193867,1194048,1194227,1194291,1194880,1195009,1195062,1195065,1195073,1195183,1195184,1195254,1195267,1195293,1195371,1195476,1195477,1195478,1195479,1195480,1195481,1195482
CVE References: CVE-2020-28097,CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-39685,CVE-2021-44733,CVE-2021-45095,CVE-2022-0286,CVE-2022-0330,CVE-2022-0435,CVE-2022-22942
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.49.1, kernel-preempt-5.3.18-150300.59.49.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.49.1, kernel-64kb-5.3.18-150300.59.49.1, kernel-debug-5.3.18-150300.59.49.1, kernel-default-5.3.18-150300.59.49.1, kernel-default-base-5.3.18-150300.59.49.1.150300.18.31.1, kernel-docs-5.3.18-150300.59.49.1, kernel-kvmsmall-5.3.18-150300.59.49.1, kernel-obs-build-5.3.18-150300.59.49.1, kernel-obs-qa-5.3.18-150300.59.49.1, kernel-preempt-5.3.18-150300.59.49.1, kernel-source-5.3.18-150300.59.49.1, kernel-syms-5.3.18-150300.59.49.1, kernel-zfcpdump-5.3.18-150300.59.49.1
Comment 20 Marcos de Souza 2022-02-15 14:16:56 UTC
Created attachment 856171 [details]
reproducer

Hi Martin, I managed to create a reproducer to trigger the double free issue. Do you think it could be turned into a LTP test?
Comment 21 Martin Doucha 2022-02-15 15:55:26 UTC
(In reply to Marcos de Souza from comment #20)
> Created attachment 856171 [details]
> reproducer
> 
> Hi Martin, I managed to create a reproducer to trigger the double free
> issue. Do you think it could be turned into a LTP test?

Thanks, this looks simple enough to port. I'll do it tomorrow. Or if you'd like to get familiar with LTP yourself, modifying setsockopt07 would be a straightforward way to port the reproducer:
https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/setsockopt/setsockopt07.c
Comment 23 Swamp Workflow Management 2022-02-21 17:25:09 UTC
SUSE-SU-2022:0543-1: An update that solves 9 vulnerabilities and has 29 fixes is now available.

Category: security (critical)
Bug References: 1154353,1154488,1156395,1160634,1176447,1177599,1183405,1185377,1187428,1187723,1188605,1191881,1193096,1193506,1193802,1193861,1193864,1193867,1194048,1194227,1194291,1194880,1195009,1195065,1195073,1195183,1195184,1195254,1195267,1195293,1195371,1195476,1195477,1195478,1195479,1195480,1195481,1195482
CVE References: CVE-2020-28097,CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-39685,CVE-2021-45095,CVE-2022-0286,CVE-2022-0330,CVE-2022-22942
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.76.1, kernel-rt_debug-5.3.18-150300.76.1, kernel-source-rt-5.3.18-150300.76.1, kernel-syms-rt-5.3.18-150300.76.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.76.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2022-02-21 17:28:59 UTC
SUSE-SU-2022:0544-1: An update that solves 6 vulnerabilities and has 11 fixes is now available.

Category: security (critical)
Bug References: 1177599,1183405,1185377,1187428,1188605,1193096,1193506,1193861,1193864,1193867,1194048,1194227,1194880,1195009,1195065,1195184,1195254
CVE References: CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-45095,CVE-2022-0330,CVE-2022-22942
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP2 (src):    kernel-rt-5.3.18-73.1, kernel-rt_debug-5.3.18-73.1, kernel-source-rt-5.3.18-73.1, kernel-syms-rt-5.3.18-73.1
SUSE Linux Enterprise Micro 5.0 (src):    kernel-rt-5.3.18-73.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Alexander Bergmann 2022-03-17 07:58:09 UTC
Fixed and released.