CVE-2021-47044
Vulnerability from cvelistv5
Published
2024-02-28 08:13
Modified
2024-12-19 07:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Fix shift-out-of-bounds in load_balance()
Syzbot reported a handful of occurrences where an sd->nr_balance_failed can
grow to much higher values than one would expect.
A successful load_balance() resets it to 0; a failed one increments
it. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an
active balance, which will either set it to sd->cache_nice_tries+1 or reset
it to 0. However, in case the to-be-active-balanced task is not allowed to
run on env->dst_cpu, then the increment is done without any further
modification.
This could then be repeated ad nauseam, and would explain the absurdly high
values reported by syzbot (86, 149). VincentG noted there is value in
letting sd->cache_nice_tries grow, so the shift itself should be
fixed. That means preventing:
"""
If the value of the right operand is negative or is greater than or equal
to the width of the promoted left operand, the behavior is undefined.
"""
Thus we need to cap the shift exponent to
BITS_PER_TYPE(typeof(lefthand)) - 1.
I had a look around for other similar cases via coccinelle:
@expr@
position pos;
expression E1;
expression E2;
@@
(
E1 >> E2@pos
|
E1 >> E2@pos
)
@cst depends on expr@
position pos;
expression expr.E1;
constant cst;
@@
(
E1 >> cst@pos
|
E1 << cst@pos
)
@script:python depends on !cst@
pos << expr.pos;
exp << expr.E2;
@@
# Dirty hack to ignore constexpr
if exp.upper() != exp:
coccilib.report.print_report(pos[0], "Possible UB shift here")
The only other match in kernel/sched is rq_clock_thermal() which employs
sched_thermal_decay_shift, and that exponent is already capped to 10, so
that one is fine.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2021-47044", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-28T18:44:53.488673Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-04T16:53:41.863Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-04T05:24:39.623Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/80862cbf76c2646f709a57c4517aefe0b094c774" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/2f3eab368e313dba35fc2f51ede778bf7b030b54" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/805cea93e66ca7deaaf6ad3b67224ce47c104c2f" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/39a2a6eb5c9b66ea7c8055026303b3aa681b49a5" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/sched/fair.c", "kernel/sched/sched.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "80862cbf76c2646f709a57c4517aefe0b094c774", "status": "affected", "version": "5a7f555904671c0737819fe4d19bd6143de3f6c0", "versionType": "git" }, { "lessThan": "2f3eab368e313dba35fc2f51ede778bf7b030b54", "status": "affected", "version": "5a7f555904671c0737819fe4d19bd6143de3f6c0", "versionType": "git" }, { "lessThan": "805cea93e66ca7deaaf6ad3b67224ce47c104c2f", "status": "affected", "version": "5a7f555904671c0737819fe4d19bd6143de3f6c0", "versionType": "git" }, { "lessThan": "39a2a6eb5c9b66ea7c8055026303b3aa681b49a5", "status": "affected", "version": "5a7f555904671c0737819fe4d19bd6143de3f6c0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/sched/fair.c", "kernel/sched/sched.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.10" }, { "lessThan": "5.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.37", "versionType": "semver" }, { "lessThanOrEqual": "5.11.*", "status": "unaffected", "version": "5.11.21", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.4", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix shift-out-of-bounds in load_balance()\n\nSyzbot reported a handful of occurrences where an sd-\u003enr_balance_failed can\ngrow to much higher values than one would expect.\n\nA successful load_balance() resets it to 0; a failed one increments\nit. Once it gets to sd-\u003ecache_nice_tries + 3, this *should* trigger an\nactive balance, which will either set it to sd-\u003ecache_nice_tries+1 or reset\nit to 0. However, in case the to-be-active-balanced task is not allowed to\nrun on env-\u003edst_cpu, then the increment is done without any further\nmodification.\n\nThis could then be repeated ad nauseam, and would explain the absurdly high\nvalues reported by syzbot (86, 149). VincentG noted there is value in\nletting sd-\u003ecache_nice_tries grow, so the shift itself should be\nfixed. That means preventing:\n\n \"\"\"\n If the value of the right operand is negative or is greater than or equal\n to the width of the promoted left operand, the behavior is undefined.\n \"\"\"\n\nThus we need to cap the shift exponent to\n BITS_PER_TYPE(typeof(lefthand)) - 1.\n\nI had a look around for other similar cases via coccinelle:\n\n @expr@\n position pos;\n expression E1;\n expression E2;\n @@\n (\n E1 \u003e\u003e E2@pos\n |\n E1 \u003e\u003e E2@pos\n )\n\n @cst depends on expr@\n position pos;\n expression expr.E1;\n constant cst;\n @@\n (\n E1 \u003e\u003e cst@pos\n |\n E1 \u003c\u003c cst@pos\n )\n\n @script:python depends on !cst@\n pos \u003c\u003c expr.pos;\n exp \u003c\u003c expr.E2;\n @@\n # Dirty hack to ignore constexpr\n if exp.upper() != exp:\n coccilib.report.print_report(pos[0], \"Possible UB shift here\")\n\nThe only other match in kernel/sched is rq_clock_thermal() which employs\nsched_thermal_decay_shift, and that exponent is already capped to 10, so\nthat one is fine." } ], "providerMetadata": { "dateUpdated": "2024-12-19T07:34:11.894Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/80862cbf76c2646f709a57c4517aefe0b094c774" }, { "url": "https://git.kernel.org/stable/c/2f3eab368e313dba35fc2f51ede778bf7b030b54" }, { "url": "https://git.kernel.org/stable/c/805cea93e66ca7deaaf6ad3b67224ce47c104c2f" }, { "url": "https://git.kernel.org/stable/c/39a2a6eb5c9b66ea7c8055026303b3aa681b49a5" } ], "title": "sched/fair: Fix shift-out-of-bounds in load_balance()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-47044", "datePublished": "2024-02-28T08:13:49.087Z", "dateReserved": "2024-02-27T18:42:55.969Z", "dateUpdated": "2024-12-19T07:34:11.894Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-47044\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-28T09:15:40.173\",\"lastModified\":\"2024-11-21T06:35:15.187\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/fair: Fix shift-out-of-bounds in load_balance()\\n\\nSyzbot reported a handful of occurrences where an sd-\u003enr_balance_failed can\\ngrow to much higher values than one would expect.\\n\\nA successful load_balance() resets it to 0; a failed one increments\\nit. Once it gets to sd-\u003ecache_nice_tries + 3, this *should* trigger an\\nactive balance, which will either set it to sd-\u003ecache_nice_tries+1 or reset\\nit to 0. However, in case the to-be-active-balanced task is not allowed to\\nrun on env-\u003edst_cpu, then the increment is done without any further\\nmodification.\\n\\nThis could then be repeated ad nauseam, and would explain the absurdly high\\nvalues reported by syzbot (86, 149). VincentG noted there is value in\\nletting sd-\u003ecache_nice_tries grow, so the shift itself should be\\nfixed. That means preventing:\\n\\n \\\"\\\"\\\"\\n If the value of the right operand is negative or is greater than or equal\\n to the width of the promoted left operand, the behavior is undefined.\\n \\\"\\\"\\\"\\n\\nThus we need to cap the shift exponent to\\n BITS_PER_TYPE(typeof(lefthand)) - 1.\\n\\nI had a look around for other similar cases via coccinelle:\\n\\n @expr@\\n position pos;\\n expression E1;\\n expression E2;\\n @@\\n (\\n E1 \u003e\u003e E2@pos\\n |\\n E1 \u003e\u003e E2@pos\\n )\\n\\n @cst depends on expr@\\n position pos;\\n expression expr.E1;\\n constant cst;\\n @@\\n (\\n E1 \u003e\u003e cst@pos\\n |\\n E1 \u003c\u003c cst@pos\\n )\\n\\n @script:python depends on !cst@\\n pos \u003c\u003c expr.pos;\\n exp \u003c\u003c expr.E2;\\n @@\\n # Dirty hack to ignore constexpr\\n if exp.upper() != exp:\\n coccilib.report.print_report(pos[0], \\\"Possible UB shift here\\\")\\n\\nThe only other match in kernel/sched is rq_clock_thermal() which employs\\nsched_thermal_decay_shift, and that exponent is already capped to 10, so\\nthat one is fine.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: sched/fair: corrigi\u00f3 el desplazamiento fuera de los l\u00edmites en load_balance() Syzbot inform\u00f3 sobre varios casos en los que sd-\u0026gt;nr_balance_failed puede crecer a valores mucho m\u00e1s altos de lo que uno esperar\u00eda. . Un load_balance() exitoso lo restablece a 0; uno fallido lo incrementa. Una vez que llegue a sd-\u0026gt;cache_nice_tries + 3, esto *deber\u00eda* activar un saldo activo, que lo establecer\u00e1 en sd-\u0026gt;cache_nice_tries+1 o lo restablecer\u00e1 a 0. Sin embargo, en caso de que el saldo est\u00e9 activo La tarea no puede ejecutarse en env-\u0026gt;dst_cpu, entonces el incremento se realiza sin ninguna modificaci\u00f3n adicional. Esto podr\u00eda repetirse hasta la saciedad y explicar\u00eda los valores absurdamente altos informados por syzbot (86, 149). VincentG se\u00f1al\u00f3 que es valioso dejar que sd-\u0026gt;cache_nice_tries crezca, por lo que el cambio en s\u00ed deber\u00eda corregirse. Eso significa evitar: \\\"\\\"\\\" Si el valor del operando derecho es negativo o es mayor o igual que el ancho del operando izquierdo promocionado, el comportamiento no est\u00e1 definido. \\\"\\\"\\\" Por lo tanto, debemos limitar el exponente de desplazamiento a BITS_PER_TYPE( typeof(lefthand)) - 1. Ech\u00e9 un vistazo a otros casos similares a trav\u00e9s de coccinelle: @expr@ position pos; expresi\u00f3n E1; expresi\u00f3n E2; @@ ( E1 \u0026gt;\u0026gt; E2@pos | E1 \u0026gt;\u0026gt; E2@pos ) @cst depende de expr@ posici\u00f3n pos; expresi\u00f3n expr.E1; cst constante; @@ ( E1 \u0026gt;\u0026gt; cst@pos | E1 \u0026lt;\u0026lt; cst@pos ) @script:python depende de !cst@ pos \u0026lt;\u0026lt; expr.pos; exp \u0026lt;\u0026lt; expr.E2; @@ # Truco sucio para ignorar constexpr if exp.upper() != exp: coccilib.report.print_report(pos[0], \\\"Posible cambio de UB aqu\u00ed\\\") La \u00fanica otra coincidencia en kernel/sched es rq_clock_thermal() que emplea sched_thermal_decay_shift, y ese exponente ya est\u00e1 limitado a 10, por lo que ese est\u00e1 bien.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2f3eab368e313dba35fc2f51ede778bf7b030b54\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/39a2a6eb5c9b66ea7c8055026303b3aa681b49a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/805cea93e66ca7deaaf6ad3b67224ce47c104c2f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/80862cbf76c2646f709a57c4517aefe0b094c774\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2f3eab368e313dba35fc2f51ede778bf7b030b54\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/39a2a6eb5c9b66ea7c8055026303b3aa681b49a5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/805cea93e66ca7deaaf6ad3b67224ce47c104c2f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/80862cbf76c2646f709a57c4517aefe0b094c774\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.