CVE-2021-47274

Summary

In the Linux kernel, the following vulnerability has been resolved:

tracing: Correct the length check which causes memory corruption

We've suffered from severe kernel crashes due to memory corruption on our production environment, like,

Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: 0000000006e931bf [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: ffff9a45ff004300 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: 0000000000000000 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9a20608d [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: 696c662f65636976 [1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) knlGS:0000000000000000 [1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: 00000000003606e0 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1640542.566742] Call Trace: [1640542.567009] anon_vma_clone+0x5d/0x170 [1640542.567417] __split_vma+0x91/0x1a0 [1640542.567777] do_munmap+0x2c6/0x320 [1640542.568128] vm_munmap+0x54/0x70 [1640542.569990] __x64_sys_munmap+0x22/0x30 [1640542.572005] do_syscall_64+0x5b/0x1b0 [1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [1640542.575642] RIP: 0033:0x7f45d6e61e27

James Wang has reproduced it stably on the latest 4.19 LTS. After some debugging, we finally proved that it's due to ftrace buffer out-of-bound access using a debug tool as follows: [ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 [ 86.780806] no_context+0xdf/0x3c0 [ 86.784327] __do_page_fault+0x252/0x470 [ 86.788367] do_page_fault+0x32/0x140 [ 86.792145] page_fault+0x1e/0x30 [ 86.795576] strncpy_from_unsafe+0x66/0xb0 [ 86.799789] fetch_memory_string+0x25/0x40 [ 86.804002] fetch_deref_string+0x51/0x60 [ 86.808134] kprobe_trace_func+0x32d/0x3a0 [ 86.812347] kprobe_dispatcher+0x45/0x50 [ 86.816385] kprobe_ftrace_handler+0x90/0xf0 [ 86.820779] ftrace_ops_assist_func+0xa1/0x140 [ 86.825340] 0xffffffffc00750bf [ 86.828603] do_sys_open+0x5/0x1f0 [ 86.832124] do_syscall_64+0x5b/0x1b0 [ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9

commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds length check to protect trace data overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent overflow entirely, the length check should also take the sizeof entry->array[0] into account, since this array[0] is filled the length of trace data and occupy addtional space and risk overflow.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2e584b1a02eeb860e286d39bc408b25ebc5ec844 < edcce01e0e50840a9aa6a70baed21477bdd2c9f9affected
LinuxLinuxe46d433754420b4d6513ca389403de88a0910279 < 2d598902799886d67947406f26ee8e5fd2ca097faffected
LinuxLinux0572fc6a510add9029b113239eaabf4b5bce8ec9 < 31ceae385556c37e4d286cb6378696448f566883affected
LinuxLinuxa0997a86f5c0085e183ddee5fb72091d584d3d16 < d63f00ec908b3be635ead5d6029cc94246e1f38daffected
LinuxLinux7c93d8cff582c459350d6f8906eea6e4cd60d959 < 43c32c22254b9328d7abb1c2b0f689dc67838e60affected
LinuxLinuxb220c049d5196dd94d992dd2dc8cba1a5e6123bf < b16a249eca2230c2cd66fa1d4b94743bd9b6ef92affected
LinuxLinuxb220c049d5196dd94d992dd2dc8cba1a5e6123bf < 3e08a9f9760f4a70d633c328a76408e62d6f80a3affected
LinuxLinux4.9.258 < 4.9.273affected
LinuxLinux4.14.222 < 4.14.237affected
LinuxLinux4.19.177 < 4.19.195affected
LinuxLinux5.4.99 < 5.4.126affected
LinuxLinux5.10.17 < 5.10.44affected
LinuxLinux5.11affected
LinuxLinux0 < 5.11unaffected
LinuxLinux4.9.273 <= 4.9.*unaffected
LinuxLinux4.14.237 <= 4.14.*unaffected
LinuxLinux4.19.195 <= 4.19.*unaffected
LinuxLinux5.4.126 <= 5.4.*unaffected
LinuxLinux5.10.44 <= 5.10.*unaffected
LinuxLinux5.12.11 <= 5.12.*unaffected
LinuxLinux5.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

CVE Program Container

Additional References

References