{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47496","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-22T06:20:56.202Z","datePublished":"2024-05-22T08:19:43.489Z","dateUpdated":"2025-05-04T07:12:17.959Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:12:17.959Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: Fix flipped sign in tls_err_abort() calls\n\nsk->sk_err appears to expect a positive value, a convention that ktls\ndoesn't always follow and that leads to memory corruption in other code.\nFor instance,\n\n    [kworker]\n    tls_encrypt_done(..., err=<negative error from crypto request>)\n      tls_err_abort(.., err)\n        sk->sk_err = err;\n\n    [task]\n    splice_from_pipe_feed\n      ...\n        tls_sw_do_sendpage\n          if (sk->sk_err) {\n            ret = -sk->sk_err;  // ret is positive\n\n    splice_from_pipe_feed (continued)\n      ret = actor(...)  // ret is still positive and interpreted as bytes\n                        // written, resulting in underflow of buf->len and\n                        // sd->len, leading to huge buf->offset and bogus\n                        // addresses computed in later calls to actor()\n\nFix all tls_err_abort() callers to pass a negative error code\nconsistently and centralize the error-prone sign flip there, throwing in\na warning to catch future misuse and uninlining the function so it\nreally does only warn once."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/tls.h","net/tls/tls_sw.c"],"versions":[{"version":"c46234ebb4d1eee5e09819f49169e51cfc6eb909","lessThan":"e0cfd5159f314d6b304d030363650b06a2299cbb","status":"affected","versionType":"git"},{"version":"c46234ebb4d1eee5e09819f49169e51cfc6eb909","lessThan":"f3dec7e7ace38224f82cf83f0049159d067c2e19","status":"affected","versionType":"git"},{"version":"c46234ebb4d1eee5e09819f49169e51cfc6eb909","lessThan":"e41473543f75f7dbc5d605007e6f883f1bd13b9a","status":"affected","versionType":"git"},{"version":"c46234ebb4d1eee5e09819f49169e51cfc6eb909","lessThan":"da353fac65fede6b8b4cfe207f0d9408e3121105","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/tls.h","net/tls/tls_sw.c"],"versions":[{"version":"4.17","status":"affected"},{"version":"0","lessThan":"4.17","status":"unaffected","versionType":"semver"},{"version":"5.4.157","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.77","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.14.16","lessThanOrEqual":"5.14.*","status":"unaffected","versionType":"semver"},{"version":"5.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.4.157"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.10.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.14.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e0cfd5159f314d6b304d030363650b06a2299cbb"},{"url":"https://git.kernel.org/stable/c/f3dec7e7ace38224f82cf83f0049159d067c2e19"},{"url":"https://git.kernel.org/stable/c/e41473543f75f7dbc5d605007e6f883f1bd13b9a"},{"url":"https://git.kernel.org/stable/c/da353fac65fede6b8b4cfe207f0d9408e3121105"}],"title":"net/tls: Fix flipped sign in tls_err_abort() calls","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:39:59.752Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/e0cfd5159f314d6b304d030363650b06a2299cbb","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f3dec7e7ace38224f82cf83f0049159d067c2e19","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e41473543f75f7dbc5d605007e6f883f1bd13b9a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/da353fac65fede6b8b4cfe207f0d9408e3121105","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-47496","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T15:35:52.280096Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:33:23.659Z"}}]}}