cve-2021-47553
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2024-12-19 07:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: sched/scs: Reset task stack state in bringup_cpu() To hot unplug a CPU, the idle task on that CPU calls a few layers of C code before finally leaving the kernel. When KASAN is in use, poisoned shadow is left around for each of the active stack frames, and when shadow call stacks are in use. When shadow call stacks (SCS) are in use the task's saved SCS SP is left pointing at an arbitrary point within the task's shadow call stack. When a CPU is offlined than onlined back into the kernel, this stale state can adversely affect execution. Stale KASAN shadow can alias new stackframes and result in bogus KASAN warnings. A stale SCS SP is effectively a memory leak, and prevents a portion of the shadow call stack being used. Across a number of hotplug cycles the idle task's entire shadow call stack can become unusable. We previously fixed the KASAN issue in commit: e1b77c92981a5222 ("sched/kasan: remove stale KASAN poison after hotplug") ... by removing any stale KASAN stack poison immediately prior to onlining a CPU. Subsequently in commit: f1a0a376ca0c4ef1 ("sched/core: Initialize the idle task with preemption disabled") ... the refactoring left the KASAN and SCS cleanup in one-time idle thread initialization code rather than something invoked prior to each CPU being onlined, breaking both as above. We fixed SCS (but not KASAN) in commit: 63acd42c0d4942f7 ("sched/scs: Reset the shadow stack when idle_task_exit") ... but as this runs in the context of the idle task being offlined it's potentially fragile. To fix these consistently and more robustly, reset the SCS SP and KASAN shadow of a CPU's idle task immediately before we online that CPU in bringup_cpu(). This ensures the idle task always has a consistent state when it is running, and removes the need to so so when exiting an idle task. Whenever any thread is created, dup_task_struct() will give the task a stack which is free of KASAN shadow, and initialize the task's SCS SP, so there's no need to specially initialize either for idle thread within init_idle(), as this was only necessary to handle hotplug cycles. I've tested this on arm64 with: * gcc 11.1.0, defconfig +KASAN_INLINE, KASAN_STACK * clang 12.0.0, defconfig +KASAN_INLINE, KASAN_STACK, SHADOW_CALL_STACK ... offlining and onlining CPUS with: | while true; do | for C in /sys/devices/system/cpu/cpu*/online; do | echo 0 > $C; | echo 1 > $C; | done | done
Impacted products
Vendor Product Version
Linux Linux Version: 5.14
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T19:56:42.885646Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-12T19:57:05.890Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.871Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e6ee7abd6bfe559ad9989004b34c320fd638c526"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/229c555260cb9c1ccdab861e16f0410f1718f302"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/cpu.c",
            "kernel/sched/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e6ee7abd6bfe559ad9989004b34c320fd638c526",
              "status": "affected",
              "version": "3c51d82d0b7862d7d246016c74b4390fb1fa1f11",
              "versionType": "git"
            },
            {
              "lessThan": "229c555260cb9c1ccdab861e16f0410f1718f302",
              "status": "affected",
              "version": "f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674",
              "versionType": "git"
            },
            {
              "lessThan": "dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3",
              "status": "affected",
              "version": "f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/cpu.c",
            "kernel/sched/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/scs: Reset task stack state in bringup_cpu()\n\nTo hot unplug a CPU, the idle task on that CPU calls a few layers of C\ncode before finally leaving the kernel. When KASAN is in use, poisoned\nshadow is left around for each of the active stack frames, and when\nshadow call stacks are in use. When shadow call stacks (SCS) are in use\nthe task\u0027s saved SCS SP is left pointing at an arbitrary point within\nthe task\u0027s shadow call stack.\n\nWhen a CPU is offlined than onlined back into the kernel, this stale\nstate can adversely affect execution. Stale KASAN shadow can alias new\nstackframes and result in bogus KASAN warnings. A stale SCS SP is\neffectively a memory leak, and prevents a portion of the shadow call\nstack being used. Across a number of hotplug cycles the idle task\u0027s\nentire shadow call stack can become unusable.\n\nWe previously fixed the KASAN issue in commit:\n\n  e1b77c92981a5222 (\"sched/kasan: remove stale KASAN poison after hotplug\")\n\n... by removing any stale KASAN stack poison immediately prior to\nonlining a CPU.\n\nSubsequently in commit:\n\n  f1a0a376ca0c4ef1 (\"sched/core: Initialize the idle task with preemption disabled\")\n\n... the refactoring left the KASAN and SCS cleanup in one-time idle\nthread initialization code rather than something invoked prior to each\nCPU being onlined, breaking both as above.\n\nWe fixed SCS (but not KASAN) in commit:\n\n  63acd42c0d4942f7 (\"sched/scs: Reset the shadow stack when idle_task_exit\")\n\n... but as this runs in the context of the idle task being offlined it\u0027s\npotentially fragile.\n\nTo fix these consistently and more robustly, reset the SCS SP and KASAN\nshadow of a CPU\u0027s idle task immediately before we online that CPU in\nbringup_cpu(). This ensures the idle task always has a consistent state\nwhen it is running, and removes the need to so so when exiting an idle\ntask.\n\nWhenever any thread is created, dup_task_struct() will give the task a\nstack which is free of KASAN shadow, and initialize the task\u0027s SCS SP,\nso there\u0027s no need to specially initialize either for idle thread within\ninit_idle(), as this was only necessary to handle hotplug cycles.\n\nI\u0027ve tested this on arm64 with:\n\n* gcc 11.1.0, defconfig +KASAN_INLINE, KASAN_STACK\n* clang 12.0.0, defconfig +KASAN_INLINE, KASAN_STACK, SHADOW_CALL_STACK\n\n... offlining and onlining CPUS with:\n\n| while true; do\n|   for C in /sys/devices/system/cpu/cpu*/online; do\n|     echo 0 \u003e $C;\n|     echo 1 \u003e $C;\n|   done\n| done"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:44:41.239Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e6ee7abd6bfe559ad9989004b34c320fd638c526"
        },
        {
          "url": "https://git.kernel.org/stable/c/229c555260cb9c1ccdab861e16f0410f1718f302"
        },
        {
          "url": "https://git.kernel.org/stable/c/dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3"
        }
      ],
      "title": "sched/scs: Reset task stack state in bringup_cpu()",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47553",
    "datePublished": "2024-05-24T15:09:55.961Z",
    "dateReserved": "2024-05-24T15:02:54.833Z",
    "dateUpdated": "2024-12-19T07:44:41.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47553\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:20.080\",\"lastModified\":\"2024-11-21T06:36:32.240\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/scs: Reset task stack state in bringup_cpu()\\n\\nTo hot unplug a CPU, the idle task on that CPU calls a few layers of C\\ncode before finally leaving the kernel. When KASAN is in use, poisoned\\nshadow is left around for each of the active stack frames, and when\\nshadow call stacks are in use. When shadow call stacks (SCS) are in use\\nthe task\u0027s saved SCS SP is left pointing at an arbitrary point within\\nthe task\u0027s shadow call stack.\\n\\nWhen a CPU is offlined than onlined back into the kernel, this stale\\nstate can adversely affect execution. Stale KASAN shadow can alias new\\nstackframes and result in bogus KASAN warnings. A stale SCS SP is\\neffectively a memory leak, and prevents a portion of the shadow call\\nstack being used. Across a number of hotplug cycles the idle task\u0027s\\nentire shadow call stack can become unusable.\\n\\nWe previously fixed the KASAN issue in commit:\\n\\n  e1b77c92981a5222 (\\\"sched/kasan: remove stale KASAN poison after hotplug\\\")\\n\\n... by removing any stale KASAN stack poison immediately prior to\\nonlining a CPU.\\n\\nSubsequently in commit:\\n\\n  f1a0a376ca0c4ef1 (\\\"sched/core: Initialize the idle task with preemption disabled\\\")\\n\\n... the refactoring left the KASAN and SCS cleanup in one-time idle\\nthread initialization code rather than something invoked prior to each\\nCPU being onlined, breaking both as above.\\n\\nWe fixed SCS (but not KASAN) in commit:\\n\\n  63acd42c0d4942f7 (\\\"sched/scs: Reset the shadow stack when idle_task_exit\\\")\\n\\n... but as this runs in the context of the idle task being offlined it\u0027s\\npotentially fragile.\\n\\nTo fix these consistently and more robustly, reset the SCS SP and KASAN\\nshadow of a CPU\u0027s idle task immediately before we online that CPU in\\nbringup_cpu(). This ensures the idle task always has a consistent state\\nwhen it is running, and removes the need to so so when exiting an idle\\ntask.\\n\\nWhenever any thread is created, dup_task_struct() will give the task a\\nstack which is free of KASAN shadow, and initialize the task\u0027s SCS SP,\\nso there\u0027s no need to specially initialize either for idle thread within\\ninit_idle(), as this was only necessary to handle hotplug cycles.\\n\\nI\u0027ve tested this on arm64 with:\\n\\n* gcc 11.1.0, defconfig +KASAN_INLINE, KASAN_STACK\\n* clang 12.0.0, defconfig +KASAN_INLINE, KASAN_STACK, SHADOW_CALL_STACK\\n\\n... offlining and onlining CPUS with:\\n\\n| while true; do\\n|   for C in /sys/devices/system/cpu/cpu*/online; do\\n|     echo 0 \u003e $C;\\n|     echo 1 \u003e $C;\\n|   done\\n| done\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: sched/scs: restablecer el estado de la pila de tareas en Bringup_cpu() Para desconectar en caliente una CPU, la tarea inactiva en esa CPU llama a algunas capas de c\u00f3digo C antes de abandonar finalmente el kernel. Cuando KASAN est\u00e1 en uso, se deja una sombra envenenada para cada uno de los marcos de pila activos y cuando las pilas de llamadas de sombra est\u00e1n en uso. Cuando se utilizan pilas de llamadas ocultas (SCS), el SCS SP guardado de la tarea se deja apuntando a un punto arbitrario dentro de la pila de llamadas ocultas de la tarea. Cuando una CPU est\u00e1 desconectada y luego conectada nuevamente al kernel, este estado obsoleto puede afectar negativamente la ejecuci\u00f3n. La sombra de KASAN obsoleta puede generar alias en nuevos marcos de pila y generar advertencias de KASAN falsas. Un SCS SP obsoleto es efectivamente una p\u00e9rdida de memoria e impide que se utilice una parte de la pila de llamadas ocultas. Despu\u00e9s de varios ciclos de conexi\u00f3n en caliente, toda la pila de llamadas ocultas de la tarea inactiva puede quedar inutilizable. Anteriormente solucionamos el problema de KASAN en el commit: e1b77c92981a5222 (\\\"sched/kasan: eliminar el veneno de KASAN obsoleto despu\u00e9s de la conexi\u00f3n en caliente\\\")... eliminando cualquier veneno de pila de KASAN obsoleto inmediatamente antes de conectar una CPU. Posteriormente, en El commit: f1a0a376ca0c4ef1 (\\\"sched/core: Inicialice la tarea inactiva con la preferencia deshabilitada\\\")... la refactorizaci\u00f3n dej\u00f3 la limpieza de KASAN y SCS en un c\u00f3digo de inicializaci\u00f3n de subproceso inactivo de una sola vez en lugar de algo invocado antes de que cada CPU se conectara. rompiendo ambos como arriba. Arreglamos SCS (pero no KASAN) en El commit: 63acd42c0d4942f7 (\\\"sched/scs: restablecer la pila de sombra cuando idle_task_exit\\\")... pero como esto se ejecuta en el contexto de la tarea inactiva que est\u00e1 fuera de l\u00ednea, es potencialmente fr\u00e1gil. Para solucionar estos problemas de manera consistente y m\u00e1s s\u00f3lida, restablezca la sombra SCS SP y KASAN de la tarea inactiva de una CPU inmediatamente antes de conectar esa CPU en Bringup_cpu(). Esto garantiza que la tarea inactiva siempre tenga un estado consistente cuando se est\u00e1 ejecutando y elimina la necesidad de tenerlo al salir de una tarea inactiva. Siempre que se crea un subproceso, dup_task_struct() le dar\u00e1 a la tarea una pila que est\u00e1 libre de sombra KASAN e inicializar\u00e1 el SP SCS de la tarea, por lo que no hay necesidad de inicializar especialmente ninguno de los subprocesos inactivos dentro de init_idle(), ya que esto solo era necesario para manejar ciclos de conexi\u00f3n en caliente. Prob\u00e9 esto en arm64 con: * gcc 11.1.0, defconfig +KASAN_INLINE, KASAN_STACK * clang 12.0.0, defconfig +KASAN_INLINE, KASAN_STACK, SHADOW_CALL_STACK ... offlining and onlining CPUS with: | while true; do | for C in /sys/devices/system/cpu/cpu*/online; do | echo 0 \u0026gt; $C; | echo 1 \u0026gt; $C; | done | done \"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/229c555260cb9c1ccdab861e16f0410f1718f302\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e6ee7abd6bfe559ad9989004b34c320fd638c526\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/229c555260cb9c1ccdab861e16f0410f1718f302\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/e6ee7abd6bfe559ad9989004b34c320fd638c526\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.