cve-2021-46961
Vulnerability from cvelistv5
Published
2024-02-27 18:47
Modified
2024-08-04 05:17
Severity
Summary
irqchip/gic-v3: Do not enable irqs when handling spurious interrups
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-46961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:42:57.303653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:13:07.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:17:42.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e7ea8e46e3b777be26aa855fe07778c415f24926"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7be4db5c2b59fa77071c93ca4329876fb9777202"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ea817ac1014c04f47885532b55f5d0898deadfba"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3f72d3709f53af72835af7dc8b15ba61611a0e36"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a97709f563a078e259bf0861cd259aa60332890a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7ea8e46e3b7",
"status": "affected",
"version": "3f1f3234bc2d",
"versionType": "git"
},
{
"lessThan": "7be4db5c2b59",
"status": "affected",
"version": "3f1f3234bc2d",
"versionType": "git"
},
{
"lessThan": "ea817ac1014c",
"status": "affected",
"version": "3f1f3234bc2d",
"versionType": "git"
},
{
"lessThan": "3f72d3709f53",
"status": "affected",
"version": "3f1f3234bc2d",
"versionType": "git"
},
{
"lessThan": "a97709f563a0",
"status": "affected",
"version": "3f1f3234bc2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.118",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.36",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.20",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3: Do not enable irqs when handling spurious interrups\n\nWe triggered the following error while running our 4.19 kernel\nwith the pseudo-NMI patches backported to it:\n\n[ 14.816231] ------------[ cut here ]------------\n[ 14.816231] kernel BUG at irq.c:99!\n[ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP\n[ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____))\n[ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14\n[ 14.816233] Hardware name: evb (DT)\n[ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO)\n[ 14.816234] pc : asm_nmi_enter+0x94/0x98\n[ 14.816235] lr : asm_nmi_enter+0x18/0x98\n[ 14.816235] sp : ffff000008003c50\n[ 14.816235] pmr_save: 00000070\n[ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0\n[ 14.816238] x27: 0000000000000000 x26: ffff000008004000\n[ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000\n[ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc\n[ 14.816241] x21: ffff000008003da0 x20: 0000000000000060\n[ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff\n[ 14.816243] x17: 0000000000000008 x16: 003d090000000000\n[ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40\n[ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000\n[ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5\n[ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f\n[ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e\n[ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000\n[ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000\n[ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0\n[ 14.816251] Call trace:\n[ 14.816251] asm_nmi_enter+0x94/0x98\n[ 14.816251] el1_irq+0x8c/0x180 (IRQ C)\n[ 14.816252] gic_handle_irq+0xbc/0x2e4\n[ 14.816252] el1_irq+0xcc/0x180 (IRQ B)\n[ 14.816253] arch_timer_handler_virt+0x38/0x58\n[ 14.816253] handle_percpu_devid_irq+0x90/0x240\n[ 14.816253] generic_handle_irq+0x34/0x50\n[ 14.816254] __handle_domain_irq+0x68/0xc0\n[ 14.816254] gic_handle_irq+0xf8/0x2e4\n[ 14.816255] el1_irq+0xcc/0x180 (IRQ A)\n[ 14.816255] arch_cpu_idle+0x34/0x1c8\n[ 14.816255] default_idle_call+0x24/0x44\n[ 14.816256] do_idle+0x1d0/0x2c8\n[ 14.816256] cpu_startup_entry+0x28/0x30\n[ 14.816256] rest_init+0xb8/0xc8\n[ 14.816257] start_kernel+0x4c8/0x4f4\n[ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000)\n[ 14.816258] Modules linked in: start_dp(O) smeth(O)\n[ 15.103092] ---[ end trace 701753956cb14aa8 ]---\n[ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt\n[ 15.103099] SMP: stopping secondary CPUs\n[ 15.103100] Kernel Offset: disabled\n[ 15.103100] CPU features: 0x36,a2400218\n[ 15.103100] Memory Limit: none\n\nwhich is cause by a \u0027BUG_ON(in_nmi())\u0027 in nmi_enter().\n\nFrom the call trace, we can find three interrupts (noted A, B, C above):\ninterrupt (A) is preempted by (B), which is further interrupted by (C).\n\nSubsequent investigations show that (B) results in nmi_enter() being\ncalled, but that it actually is a spurious interrupt. Furthermore,\ninterrupts are reenabled in the context of (B), and (C) fires with\nNMI priority. We end-up with a nested NMI situation, something\nwe definitely do not want to (and cannot) handle.\n\nThe bug here is that spurious interrupts should never result in any\nstate change, and we should just return to the interrupted context.\nMoving the handling of spurious interrupts as early as possible in\nthe GICv3 handler fixes this issue.\n\n[maz: rewrote commit message, corrected Fixes: tag]"
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T04:59:35.687Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7ea8e46e3b777be26aa855fe07778c415f24926"
},
{
"url": "https://git.kernel.org/stable/c/7be4db5c2b59fa77071c93ca4329876fb9777202"
},
{
"url": "https://git.kernel.org/stable/c/ea817ac1014c04f47885532b55f5d0898deadfba"
},
{
"url": "https://git.kernel.org/stable/c/3f72d3709f53af72835af7dc8b15ba61611a0e36"
},
{
"url": "https://git.kernel.org/stable/c/a97709f563a078e259bf0861cd259aa60332890a"
}
],
"title": "irqchip/gic-v3: Do not enable irqs when handling spurious interrups",
"x_generator": {
"engine": "bippy-a5840b7849dd"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-46961",
"datePublished": "2024-02-27T18:47:00.560Z",
"dateReserved": "2024-02-27T18:42:55.942Z",
"dateUpdated": "2024-08-04T05:17:42.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-46961\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-27T19:04:06.907\",\"lastModified\":\"2024-02-28T14:06:45.783\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nirqchip/gic-v3: Do not enable irqs when handling spurious interrups\\n\\nWe triggered the following error while running our 4.19 kernel\\nwith the pseudo-NMI patches backported to it:\\n\\n[ 14.816231] ------------[ cut here ]------------\\n[ 14.816231] kernel BUG at irq.c:99!\\n[ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP\\n[ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____))\\n[ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14\\n[ 14.816233] Hardware name: evb (DT)\\n[ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO)\\n[ 14.816234] pc : asm_nmi_enter+0x94/0x98\\n[ 14.816235] lr : asm_nmi_enter+0x18/0x98\\n[ 14.816235] sp : ffff000008003c50\\n[ 14.816235] pmr_save: 00000070\\n[ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0\\n[ 14.816238] x27: 0000000000000000 x26: ffff000008004000\\n[ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000\\n[ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc\\n[ 14.816241] x21: ffff000008003da0 x20: 0000000000000060\\n[ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff\\n[ 14.816243] x17: 0000000000000008 x16: 003d090000000000\\n[ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40\\n[ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000\\n[ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5\\n[ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f\\n[ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e\\n[ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000\\n[ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000\\n[ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0\\n[ 14.816251] Call trace:\\n[ 14.816251] asm_nmi_enter+0x94/0x98\\n[ 14.816251] el1_irq+0x8c/0x180 (IRQ C)\\n[ 14.816252] gic_handle_irq+0xbc/0x2e4\\n[ 14.816252] el1_irq+0xcc/0x180 (IRQ B)\\n[ 14.816253] arch_timer_handler_virt+0x38/0x58\\n[ 14.816253] handle_percpu_devid_irq+0x90/0x240\\n[ 14.816253] generic_handle_irq+0x34/0x50\\n[ 14.816254] __handle_domain_irq+0x68/0xc0\\n[ 14.816254] gic_handle_irq+0xf8/0x2e4\\n[ 14.816255] el1_irq+0xcc/0x180 (IRQ A)\\n[ 14.816255] arch_cpu_idle+0x34/0x1c8\\n[ 14.816255] default_idle_call+0x24/0x44\\n[ 14.816256] do_idle+0x1d0/0x2c8\\n[ 14.816256] cpu_startup_entry+0x28/0x30\\n[ 14.816256] rest_init+0xb8/0xc8\\n[ 14.816257] start_kernel+0x4c8/0x4f4\\n[ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000)\\n[ 14.816258] Modules linked in: start_dp(O) smeth(O)\\n[ 15.103092] ---[ end trace 701753956cb14aa8 ]---\\n[ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt\\n[ 15.103099] SMP: stopping secondary CPUs\\n[ 15.103100] Kernel Offset: disabled\\n[ 15.103100] CPU features: 0x36,a2400218\\n[ 15.103100] Memory Limit: none\\n\\nwhich is cause by a \u0027BUG_ON(in_nmi())\u0027 in nmi_enter().\\n\\nFrom the call trace, we can find three interrupts (noted A, B, C above):\\ninterrupt (A) is preempted by (B), which is further interrupted by (C).\\n\\nSubsequent investigations show that (B) results in nmi_enter() being\\ncalled, but that it actually is a spurious interrupt. Furthermore,\\ninterrupts are reenabled in the context of (B), and (C) fires with\\nNMI priority. We end-up with a nested NMI situation, something\\nwe definitely do not want to (and cannot) handle.\\n\\nThe bug here is that spurious interrupts should never result in any\\nstate change, and we should just return to the interrupted context.\\nMoving the handling of spurious interrupts as early as possible in\\nthe GICv3 handler fixes this issue.\\n\\n[maz: rewrote commit message, corrected Fixes: tag]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: irqchip/gic-v3: no habilitar irqs cuando se manejan interrupciones espurias. Activamos el siguiente error al ejecutar nuestro kernel 4.19 con los parches pseudo-NMI respaldados: [14.816231] - -----------[ cortar aqu\u00ed ]------------ \u00a1ERROR del kernel [14.816231] en irq.c:99! [14.816232] Error interno: Ups - ERROR: 0 [#1] SMP [14.816232] Intercambiador de procesos/0 (pid: 0, l\u00edmite de pila = 0x(____ptrval____)) [14.816233] CPU: 0 PID: 0 Comunicaciones: intercambiador/0 Contaminado: GO 4.19.95.aarch64 #14 [ 14.816233] Nombre de hardware: evb (DT) [ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 14.816234] pc : asm_nmi_enter+0x94/0x98 [ 14.816235] lr : asm_nmi_enter +0x18/0x98 [ 14.816235] sp : ffff000008003c50 [ 14.816235] pmr_save: 00000070 [ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0 [ 14.816 238] x27: 0000000000000000 x26: ffff000008004000 [ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000 [ 14.816240] x23: 000000002040 0005x22 : ffff0000080817cc [ 14.816241] x21: ffff000008003da0 x20: 0000000000000060 [ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff [ 14.816243] x 17: 0000000000000008 x16: 003d090000000000 [ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40 [ 14.816244] x13: ffff8008fff58b9d x12: 00 00000000000000 [14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5 [ 14.816246] x9 : ffff000008c8a208 x8 : 0000000000000000f [ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e [ 14.816248] x5 : 00000000000000000 x4 : 0000000080000000 [ 14.816249] x3 : 00000000000000000 x2 : 0000000080000000 [ 14.81 6250] x1: 0000000000120000 x0: ffff0000095f56c0 [ 14.816251] Rastreo de llamadas: [ 14.816251] asm_nmi_enter+0x94/0x98 [ 14.816251] el1_irq+0x8c/0x180 (IRQ C) [ 14.816252] gic_handle_irq+0xbc/0x2e4 [ 14.816252] el1_irq+0xcc/0x180 (IRQ B) [ 14.816253] arch_timer_handler_virt+0x38/0x58 [ 14.816253] handle_percpu_devid_irq+0x90/0x240 [ 14.816253] generic_handle_irq+0x34/0x50 [ 14.816254] __handle_domain_irq+0x68/0xc0 [ 14.81625 4] gic_handle_irq+0xf8/0x2e4 [ 14.816255] el1_irq+0xcc/0x180 (IRQ A) [ 14.816255] arch_cpu_idle+0x34/0x1c8 [ 14.816255] default_idle_call+0x24/0x44 [ 14.816256] do_idle+0x1d0/0x2c8 [ 14.816256] cpu_startup_entry+0x28/0x30 [ 14.8162 56] rest_init+0xb8/0xc8 [ 14.816257] start_kernel+0x4c8/0x4f4 [ 14.816257] C\u00f3digo: 940587f1 d5384100 b9401001 36a7fd01 (d4210000) [14.816258] M\u00f3dulos vinculados en: start_dp(O) smeth(O) [15.103092] ---[ end trace 701753956cb14aa8 ]--- [ 15.1030 93] P\u00e1nico en el kernel: no se sincroniza: excepci\u00f3n fatal en interrupci\u00f3n [15.103099] SMP: deteniendo CPU secundarias [15.103100] Desplazamiento del kernel: deshabilitado [15.103100] Caracter\u00edsticas de la CPU: 0x36,a2400218 [15.103100] L\u00edmite de memoria: ninguno causado por un \u0027BUG_ON(in_nmi())\u0027 en nmi_enter(). Desde el seguimiento de la llamada, podemos encontrar tres interrupciones (anotadas A, B, C arriba): la interrupci\u00f3n (A) es reemplazada por (B), que es interrumpida a\u00fan m\u00e1s por (C). Investigaciones posteriores muestran que (B) da como resultado que se llame a nmi_enter(), pero que en realidad es una interrupci\u00f3n espuria. Adem\u00e1s, las interrupciones se vuelven a habilitar en el contexto de incendios (B) y (C) con prioridad NMI. Terminamos con una situaci\u00f3n de NMI anidada, algo que definitivamente no queremos (y no podemos) manejar. El error aqu\u00ed es que las interrupciones espurias nunca deber\u00edan dar lugar a ning\u00fan cambio de estado y simplemente deber\u00edamos volver al contexto interrumpido. Mover el manejo de interrupciones espurias lo antes posible en el controlador GICv3 soluciona este problema. [maz: reescrib\u00ed el mensaje de confirmaci\u00f3n, corregido Correcciones: etiqueta]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3f72d3709f53af72835af7dc8b15ba61611a0e36\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7be4db5c2b59fa77071c93ca4329876fb9777202\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a97709f563a078e259bf0861cd259aa60332890a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e7ea8e46e3b777be26aa855fe07778c415f24926\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ea817ac1014c04f47885532b55f5d0898deadfba\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...