Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:ipv6: fix memory leak in fib6_rule_suppressThe kernel leaks memory when a `fib` rule is present in IPv6 nftablesfirewall rules and a suppress_prefix rule is present in the IPv6 routingrules (used by certain tools such as wg-quick). In such scenarios, everyincoming packet will leak an allocation in `ip6_dst_cache` slab cache.After some hours of `bpftrace`-ing and source code reading, I trackeddown the issue to ca7a03c41753 ("ipv6: do not free rt ifFIB_LOOKUP_NOREF is set on suppress rule").The problem with that change is that the generic `args->flags` always have`FIB_LOOKUP_NOREF` set1][2] but the IPv6-specific flag`RT6_LOOKUP_F_DST_NOREF` might not be, leading to `fib6_rule_suppress` notdecreasing the refcount when needed.How to reproduce: - Add the following nftables rule to a prerouting chain:     meta nfproto ipv6 fib saddr . mark . iif oif missing drop   This can be done with:     sudo nft create table inet test     sudo nft create chain inet test test_chain '{ type filter hook prerouting priority filter + 10; policy accept; }'     sudo nft add rule inet test test_chain meta nfproto ipv6 fib saddr . mark . iif oif missing drop - Run:     sudo ip -6 rule add table main suppress_prefixlength 0 - Watch `sudo slabtop -o  ( grep ip6_dst_cache` to see memory usage increase   with every incoming ipv6 packet.This patch exposes the protocol-specific flags to the protocolspecific `suppress` function, and check the protocol-specific `flags`argument for RT6_LOOKUP_F_DST_NOREF instead of the genericFIB_LOOKUP_NOREF when decreasing the refcount, like this.[1): https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L712]: https://github.com/torvalds/linux/blob/ca7a03c4175366a92cee0ccc4fec0038c3266e26/net/ipv6/fib6_rules.c#L99

CREATE(Triage):(User=admin) [CVE-2021-47546 (https://nvd.nist.gov/vuln/detail/CVE-2021-47546)

CVEs

• CVE-2021-47546