{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-4442","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-08-29T09:00:39.580Z","datePublished":"2024-08-29T09:05:37.288Z","dateUpdated":"2025-05-04T06:59:56.297Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T06:59:56.297Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add sanity tests to TCP_QUEUE_SEQ\n\nQingyu Li reported a syzkaller bug where the repro\nchanges RCV SEQ _after_ restoring data in the receive queue.\n\nmprotect(0x4aa000, 12288, PROT_READ)    = 0\nmmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000\nmmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000\nmmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000\nsocket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3\nsetsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0\nconnect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, \"::1\", &sin6_addr), sin6_scope_id=0}, 28) = 0\nsetsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0\nsendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base=\"0x0000000000000003\\0\\0\", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20\nsetsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0\nsetsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0\nrecvfrom(3, NULL, 20, 0, NULL, NULL)    = -1 ECONNRESET (Connection reset by peer)\n\nsyslog shows:\n[  111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0\n[  111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0\n\nThis should not be allowed. TCP_QUEUE_SEQ should only be used\nwhen queues are empty.\n\nThis patch fixes this case, and the tx path as well."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp.c"],"versions":[{"version":"ee9952831cfd0bbe834f4a26489d7dce74582e37","lessThan":"319f460237fc2965a80aa9a055044e1da7b3692a","status":"affected","versionType":"git"},{"version":"ee9952831cfd0bbe834f4a26489d7dce74582e37","lessThan":"3bf899438c123c444f6b644a57784dfbb6b15ad6","status":"affected","versionType":"git"},{"version":"ee9952831cfd0bbe834f4a26489d7dce74582e37","lessThan":"046f3c1c2ff450fb7ae53650e9a95e0074a61f3e","status":"affected","versionType":"git"},{"version":"ee9952831cfd0bbe834f4a26489d7dce74582e37","lessThan":"3b72d5a703842f582502d97906f17d6ee122dac2","status":"affected","versionType":"git"},{"version":"ee9952831cfd0bbe834f4a26489d7dce74582e37","lessThan":"8811f4a9836e31c14ecdf79d9f3cb7c5d463265d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp.c"],"versions":[{"version":"3.5","status":"affected"},{"version":"0","lessThan":"3.5","status":"unaffected","versionType":"semver"},{"version":"4.19.181","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.106","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.24","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.11.7","lessThanOrEqual":"5.11.*","status":"unaffected","versionType":"semver"},{"version":"5.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"4.19.181"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"5.4.106"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"5.10.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"5.11.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"5.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/319f460237fc2965a80aa9a055044e1da7b3692a"},{"url":"https://git.kernel.org/stable/c/3bf899438c123c444f6b644a57784dfbb6b15ad6"},{"url":"https://git.kernel.org/stable/c/046f3c1c2ff450fb7ae53650e9a95e0074a61f3e"},{"url":"https://git.kernel.org/stable/c/3b72d5a703842f582502d97906f17d6ee122dac2"},{"url":"https://git.kernel.org/stable/c/8811f4a9836e31c14ecdf79d9f3cb7c5d463265d"}],"title":"tcp: add sanity tests to TCP_QUEUE_SEQ","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-4442","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T15:27:19.469739Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-12T17:33:04.156Z"}}]}}