| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022647-CVE-2021-47640-1cf1@gregkh>
Date: Wed, 26 Feb 2025 02:53:51 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2021-47640: powerpc/kasan: Fix early region not updated correctly
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kasan: Fix early region not updated correctly
The shadow's page table is not updated when PTE_RPN_SHIFT is 24
and PAGE_SHIFT is 12. It not only causes false positives but
also false negative as shown the following text.
Fix it by bringing the logic of kasan_early_shadow_page_entry here.
1. False Positive:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50
Write of size 16 at addr f57f3be0 by task swapper/0/1
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1
Call Trace:
[c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable)
[c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300
[c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200
[c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0
[c80d1cc0] [c03018a4] memset+0x34/0x90
[c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50
[c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570
[c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0
[c80d1db0] [c2036580] init_sd+0xc4/0x1d0
[c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c
[c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384
[c80d1ef0] [c0004b14] kernel_init+0x24/0x170
[c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64
Memory state around the buggy address:
f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
2. False Negative (with KASAN tests):
==================================================================
Before fix:
ok 45 - kmalloc_double_kzfree
# vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039
KASAN failure expected in "((volatile char *)area)[3100]", but none occurred
not ok 46 - vmalloc_oob
not ok 1 - kasan
==================================================================
After fix:
ok 1 - kasan
The Linux kernel CVE team has assigned CVE-2021-47640 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.4 with commit cbd18991e24fea2c31da3bb117c83e4a3538cd11 and fixed in 5.4.189 with commit 7f19245c3647afea8c7c41f795506ef70f64b9f2
Issue introduced in 5.4 with commit cbd18991e24fea2c31da3bb117c83e4a3538cd11 and fixed in 5.10.110 with commit f39a3309393a4a484532f6ba745c6acbcfe06115
Issue introduced in 5.4 with commit cbd18991e24fea2c31da3bb117c83e4a3538cd11 and fixed in 5.15.33 with commit 5a3d8f3192a409893c57808cc935e16484df1068
Issue introduced in 5.4 with commit cbd18991e24fea2c31da3bb117c83e4a3538cd11 and fixed in 5.16.19 with commit de56beace6648065d404cd9835aa7d30e3df519d
Issue introduced in 5.4 with commit cbd18991e24fea2c31da3bb117c83e4a3538cd11 and fixed in 5.17.2 with commit e3d157a4b4f4e0268c98be5b7013bf4b31234bb6
Issue introduced in 5.4 with commit cbd18991e24fea2c31da3bb117c83e4a3538cd11 and fixed in 5.18 with commit dd75080aa8409ce10d50fb58981c6b59bf8707d3
Issue introduced in 5.3.6 with commit 3822dd8c102d11ada9d9ed8e04cad0b347a04689
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47640
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
arch/powerpc/mm/kasan/kasan_init_32.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/7f19245c3647afea8c7c41f795506ef70f64b9f2
https://git.kernel.org/stable/c/f39a3309393a4a484532f6ba745c6acbcfe06115
https://git.kernel.org/stable/c/5a3d8f3192a409893c57808cc935e16484df1068
https://git.kernel.org/stable/c/de56beace6648065d404cd9835aa7d30e3df519d
https://git.kernel.org/stable/c/e3d157a4b4f4e0268c98be5b7013bf4b31234bb6
https://git.kernel.org/stable/c/dd75080aa8409ce10d50fb58981c6b59bf8707d3
Powered by blists - more mailing lists