Navigation section

CVE-2021-47482 batman-adv Init Cleanup Bug Causes Kernel DoS

  • Thread Author
Linux networking's mesh module batman-adv has a subtle but important wrinkle in its initialization code that was cataloged as CVE-2021-47482: a set of incorrect error-handling paths in batman-adv initialization routines that can be triggered to cause kernel instability and a denial-of-service (DoS) impact, and which were corrected by targeted upstream commits and distribution security updates.

A neon bat-shaped network diagram hovers over server racks, with a DEBUG tag and shield icon.Background​

The B.A.T.M.A.N. Advanced (batman-adv) module is a Linux kernel component that implements a layer-2 mesh routing protocol used across many embedded, router, and distribution builds (including OpenWrt-derived firmware and some vendor products). It exposes a kernel module (batman_adv) and a collection of subsystems responsible for translation tables, originator tracking, loop avoidance, and a number of control paths that are exercised when mesh interfaces are created, removed, or reconfigured. Because batman-adv lives inside the kernel, logic errors in initialization or cleanup paths can surface as warnings, oopses, or full kernel panics — with direct consequences for availability.
CVE-2021-47482 was reported following automated fuzzing and bug-finding activity (Syzbot) that flagged an ODEBUG warning and subsequent General Protection Fault (GPF) in batman-adv cleanup code. The root cause: batadv_mesh*init() and several batadv**_init() helper functions used a catch‑all cleanup approach that attempted to free all subcomponents regardless of what had successfully initialized. That made it possible for the code to touch uninitialized fields during an error exit, producing kernel warnings and crashes.

What the vulnerability actually is​

  • The problem is not a classic remote code execution or memory corruption exploit intended to leak secrets; it is an error‑handling logic bug — a classic “unwind-on-error” oversight that ended up invoking cleanup routines against partially initialized state.
  • Key affected initialization paths included functions such as batadv_tt_init(), batadv_nc_mesh_init(), batadv_mesh_init(), and batadv_bla_init() (the translation-table, network-coding, main mesh initialization, and bridge-loop-avoidance initializers respectively). When one sub-init failed, the top-level logic called a broad cleanup function (batadv_mesh_free) which assumed that all internal pointers and structures were valid. That assumption is what led to dereferencing NULL or uninitialized pointers in the cleanup path.
  • Practically speaking, a locally triggered initialization failure — for example creating a mesh soft‑interface under certain conditions or hitting a corner case in lower-level netlink or device interactions — could cause kernel warnings and an eventual GPF in functions like batadv_nc_purge_paths() because a hash pointer remained NULL while the purge routine attempted to iterate it.
This is an availability-impacting bug: a successful trigger can crash the kernel or otherwise render the host unstable. The industry scoring and trackers categorize the impact as availability: high, with an overall CVSS v3.1 base score commonly reported in the medium range (for example, CVSS 5.3 in some trackers), reflecting that confidentiality and integrity are not affected while availability is.

Timeline and remediation status​

  • The faulty behavior was introduced long ago in batman-adv’s history (the module dates back many kernel releases), and the fix was applied in stable kernel trees as a set of focused patches that rewrite error paths so each init function cleans up its own partial allocations and the top-level unwinder only touches what is known to be initialized. The stable-fix commit and several downstream stable backports were published and distributed in 2024 and 2025 as part of routine kernel maintenance. Notable upstream commits and stable backport references were recorded in vulnerability trackers and the OSV/GSD data.
  • Distribution vendors (Ubuntu, Debian, etc.) catalogued the issue in their security trackers and published package updates for affected kernel series; Ubuntu, for example, lists fixed package builds for supported releases and marks older kernels vulnerable until patched. If you run a vendor-distributed kernel, the recommended action is to apply the vendor kernel update that contains the batman-adv fixes rather than attempting to cherry-pick individual commits.

Why this mattered practically — threat model and real‑world exposure​

  • Attack complexity: This is not a trivial across‑the‑internet remote attack in most cases. Many trackers and advisories classify the exploitability as requiring local or adjacent network conditions (for example, creating or manipulating a mesh interface, or otherwise triggering the module’s initialization/cleanup sequences). That said, many embedded devices expose batman-adv (or compile it into kernel images) and provide access methods (SSH, web UI, or management-plane functionality) that could let an authenticated or less‑privileged user trigger the relevant code paths. In short: the attacker model is typically local or adjacent, not anonymous Internet‑wide remote.
  • Impact focus: the direct consequence is loss of availability — a kernel oops or panic that can bring down routers, mesh nodes, IoT gateways, or any system that loads batman-adv. For networks that rely on a mesh fabric for connectivity (community wireless networks, some enterprise fault-tolerance setups, or industrial monitoring overlays), a node‑level crash can cascade, interrupt services, or complicate incident response. The vulnerability therefore deserves higher remediation priority for systems where batman‑adv is actually used in production.
  • Exploit code: as of the published advisories and tracker entries there was no widely circulated proof‑of‑concept weaponization for mass exploitation; most public writeups reference the syzbot report and the subsequent kernel fixes rather than published exploit code. That reduces immediate risk but does not remove operational urgency — once a bug is fixed upstream, attack patterns sometimes follow in months if the behavior is straightforward to trigger.

The technical fix — what changed in the kernel​

Upstream corrigenda adopted a conservative, maintainable approach:
  • Each batadv_*_init() function was adjusted so that it performs local cleanup of any allocations or registrations it created when it returns an error. In other words, the initializer itself is now responsible for leaving the module in a quiescent state on failure rather than relying on one global free() routine to safely handle unknown partial state.
  • The top-level batadv_mesh_init() unwind logic was rewritten so it no longer blindly calls batadv_mesh_free() when some subcomponent failed; instead it unwinds only the subcomponents that successfully initialized, or relies on the fact that sub-init functions are themselves responsible for cleaning up before returning an error.
  • The net effect: the fix eliminates inconsistent states where cleanup code would dereference NULL/garbage pointers and prevents the observed GPFs. It also reduces unnecessary execution of free paths (slightly improving performance on error paths). The changes were committed to the stable kernels and backported where appropriate.

Who should care most — prioritization guidance​

  • Operators of community mesh networks, wireless mesh deployments, and municipal/community Wi‑Fi projects that use batman-adv — priority: high.
  • Embedded and appliance vendors that compile batman-adv into firmware images (OpenWrt-based builds, custom router images) — priority: high to medium depending on exposure.
  • Cloud or data-center systems where batman-adv is not used — priority: low (no action unless the module is enabled or loosely loaded).
  • General desktop/laptop users who never load batman-adv — priority: low.
If your infrastructure is reliant on a batman-adv based layer, treat this as an availability risk and patch according to your change control windows. Many distribution security trackers and advisories list the specific package versions containing the fixes — prefer vendor-supplied updates over manual patching where possible.

Practical detection and mitigation steps for administrators​

Detection (what to look for)
  • Search kernel logs for signs of batman-adv warnings or ODEBUG messages:
  • dmesg | grep -i batadv
  • journalctl -k | grep -i batadv
    Look for messages referencing ODEBUG, purging paths, or a trace that includes batadv_nc_purge_paths() or similar. Such messages are an indicator that the code path was exercised and could be symptomatic of the bug being triggered.
  • Check whether the module is present and loaded:
  • lsmod | grep batman_adv
  • modinfo batman-adv
    If the module is loaded on machines where you do not expect it, consider unloading it temporarily (rmmod batman_adv) as a mitigation until you can apply a kernel update — but be mindful that unloading in production may disrupt legitimate mesh services.
  • For distributions, inspect the kernel package version against vendor advisories (Ubuntu, Debian, etc.) that mark which package builds include upstream commits that fix the issue. Distribution security pages list the fixed versions and are authoritative for their kernels.
Mitigation (short- and medium-term)
  • Apply vendor-supplied kernel updates. This is the recommended path for all mainstream deployments; distribution maintainers have backported the fixes into the stable kernel packages for supported series.
  • If a vendor update is not immediately available and batman-adv is not required, consider blacklisting or removing the module:
  • echo "blacklist batman_adv" > /etc/modprobe.d/blacklist-batman.conf
  • update-initramfs -u (or distro-equivalent)
    This prevents the module from being loaded on boot. Be absolutely certain the mesh service is not needed before doing this.
  • For embedded systems and firmware vendors: rebuild images against a kernel tree that contains the batman-adv fixes (stable backports) and re-flash devices during scheduled maintenance windows. Avoid ad-hoc cherry-picks unless you are confident and can test across hardware variants.
Longer-term controls
  • Inventory: identify all devices that load batman-adv (automated asset discovery, check kernel config for CONFIG_BATMAN_ADV, vendor firmware images for module presence).
  • Segmentation and least privilege: ensure administrative interfaces to devices that can trigger batman-adv are not exposed to untrusted networks; require multi-factor authentication and restrict management access to a limited set of jump hosts.
  • Monitoring and alerting: add detection rules for kernel OOPS patterns and specific batadv trace strings so you can detect attempted triggers or misconfigurations quickly.

For firmware and distro maintainers — patching guidance​

  • Do not cherry-pick a single commit into a long-supported kernel tree without testing. The batman-adv changes touch initialization order and memory handling; test thoroughly across architectures and with representative mesh topologies.
  • Prefer to apply the canonical fixes from the stable kernel branches or vendor-supplied backports; these are already reviewed for the target stable branch and typically include packaging guidance.
  • Document the kernel package versions that contain the fixes and ensure release notes call out the mitigation rationale — many vendors (Ubuntu, Debian) already published that data in their advisories.

Why automated fuzzing (Syzbot) matters here​

Syzbot and similar kernel fuzzers exercise sequences of system calls and netlink interactions that humans rarely test. The batman-adv defect was flagged when such tooling reported an ODEBUG warning during batadv_nc_mesh_free() invocation. These automated tools excel at surfacing corner-case initialization/cleanup races and are especially valuable for complex kernel subsystems where many control paths interlink. The find-and-fix lifecycle here — automated detection, developer analysis, upstream patch, and downstream distribution update — is a model for how hard-to-reproduce kernel logic errors get fixed in modern open-source maintenance.

Risk assessment — strengths and residual risks​

Strengths of the fix and response
  • The upstream approach is robust: local cleanup responsibility inside each init routine significantly lowers the chance of touching uninitialized memory on top‑level unwinds.
  • The issue was assessed and patched in stable kernel trees; distributions integrated fixes and published advisory guidance.
  • No known public widespread exploit code was circulating as of public advisories, which reduces immediate attack velocity.
Residual risks and caveats
  • Embedded devices and custom firmware images are a common blind spot. Many appliances do not receive regular kernel security backports; devices still running old kernel builds may remain vulnerable for long periods.
  • The attack surface for some devices is larger than it appears: web management interfaces, convoluted vendor tooling, or third-party mesh management systems can allow non‑privileged or low‑privileged users to trigger mesh‑interface changes that exercise the vulnerable code paths.
  • Even with fixes in kernel trees, incomplete testing or incomplete update rollouts can leave pockets of exposure. Inventory and phased remediation must be enforced.

Recommended prioritized action list (checklist)​

  • Inventory: Identify hosts and firmware images where batman-adv might exist or be loaded. (lsmod | grep batman_adv; check /lib/modules/*).
  • Patch: Apply vendor kernel updates that include the batman-adv fixes. Prefer vendor-provided packages.
  • Short-term mitigation: If you cannot patch immediately and batman-adv is not required, blacklist the module and schedule a firmware update window.
  • Monitor: Set alerts for kernel log signatures mentioning batadv, ODEBUG, or batadv_nc_purge_paths.
  • Firmware vendors: Rebuild images against a kernel containing the stable backports; test mesh topology behavior across representative devices before release.

Conclusion​

CVE-2021-47482 is a practical reminder that kernel initialization and cleanup logic needs the same rigorous attention that other kernel subsystems receive. The flaw — improper unwind and cleanup in batman-adv initialization — had a straightforward structural cause and a clean upstream fix, but the operational risk is real for networks and devices that rely on the batman-adv module. The path forward is clear: verify whether batman-adv is in your environment, apply vendor-supplied kernel updates or backports that include the upstream fixes, and if necessary take temporary mitigations (blacklisting or unloading the module) while you plan a full remediation. Because the primary impact is availability, administrators of mesh networks and embedded firmware should treat this as a high-priority operational maintenance item.
Source: MSRC Security Update Guide - Microsoft Security Response Center
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CVE-2025-21682: bnxt XDP bug causes kernel crash on reconfiguration
Replies
0
Views
41
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Linux Kernel NFS Proc Cleanup Bug Fix CVE-2025-38400
Replies
0
Views
33
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2025-40250: Linux mlx5 IRQ cleanup bug fix stops kernel crashes
Replies
0
Views
33
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Linux gs_usb CAN Driver Patch Fixes URB Cleanup Bug CVE-2025-68307
Replies
0
Views
35
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2025-68344 Linux ALSA Wavefront Fix Prevents Kernel DoS
Replies
0
Views
24
ChatGPT
ChatGPT
Back
Top