cve-2021-47618
Vulnerability from cvelistv5
Published
2024-06-20 10:57
Modified
2024-08-04 05:47
Severity
Summary
ARM: 9170/1: fix panic when kasan and kprobe are enabled
References
SourceURLTags
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1515e72aae803fc6b466adf918e71c4e4c9d5b3d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8b59b0a53c840921b625378f137e88adfa87647e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ba1863be105b06e10d0e2f6b1b8a0570801cfc71
Impacted products
VendorProduct
LinuxLinux
LinuxLinux
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47618",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-20T13:27:36.536880Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-20T13:27:44.311Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:47:40.829Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1515e72aae803fc6b466adf918e71c4e4c9d5b3d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ba1863be105b06e10d0e2f6b1b8a0570801cfc71"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8b59b0a53c840921b625378f137e88adfa87647e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm/probes/kprobes/Makefile"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1515e72aae80",
              "status": "affected",
              "version": "35aa1df43283",
              "versionType": "git"
            },
            {
              "lessThan": "ba1863be105b",
              "status": "affected",
              "version": "35aa1df43283",
              "versionType": "git"
            },
            {
              "lessThan": "8b59b0a53c84",
              "status": "affected",
              "version": "35aa1df43283",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm/probes/kprobes/Makefile"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.19",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.5",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9170/1: fix panic when kasan and kprobe are enabled\n\narm32 uses software to simulate the instruction replaced\nby kprobe. some instructions may be simulated by constructing\nassembly functions. therefore, before executing instruction\nsimulation, it is necessary to construct assembly function\nexecution environment in C language through binding registers.\nafter kasan is enabled, the register binding relationship will\nbe destroyed, resulting in instruction simulation errors and\ncausing kernel panic.\n\nthe kprobe emulate instruction function is distributed in three\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\nKASAN when compiling these files.\n\nfor example, use kprobe insert on cap_capable+20 after kasan\nenabled, the cap_capable assembly code is as follows:\n\u003ccap_capable\u003e:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne1a05000\tmov\tr5, r0\ne280006c\tadd\tr0, r0, #108    ; 0x6c\ne1a04001\tmov\tr4, r1\ne1a06002\tmov\tr6, r2\ne59fa090\tldr\tsl, [pc, #144]  ;\nebfc7bf8\tbl\tc03aa4b4 \u003c__asan_load4\u003e\ne595706c\tldr\tr7, [r5, #108]  ; 0x6c\ne2859014\tadd\tr9, r5, #20\n......\nThe emulate_ldr assembly code after enabling kasan is as follows:\nc06f1384 \u003cemulate_ldr\u003e:\ne92d47f0\tpush\t{r4, r5, r6, r7, r8, r9, sl, lr}\ne282803c\tadd\tr8, r2, #60     ; 0x3c\ne1a05000\tmov\tr5, r0\ne7e37855\tubfx\tr7, r5, #16, #4\ne1a00008\tmov\tr0, r8\ne1a09001\tmov\tr9, r1\ne1a04002\tmov\tr4, r2\nebf35462\tbl\tc03c6530 \u003c__asan_load4\u003e\ne357000f\tcmp\tr7, #15\ne7e36655\tubfx\tr6, r5, #12, #4\ne205a00f\tand\tsl, r5, #15\n0a000001\tbeq\tc06f13bc \u003cemulate_ldr+0x38\u003e\ne0840107\tadd\tr0, r4, r7, lsl #2\nebf3545c\tbl\tc03c6530 \u003c__asan_load4\u003e\ne084010a\tadd\tr0, r4, sl, lsl #2\nebf3545a\tbl\tc03c6530 \u003c__asan_load4\u003e\ne2890010\tadd\tr0, r9, #16\nebf35458\tbl\tc03c6530 \u003c__asan_load4\u003e\ne5990010\tldr\tr0, [r9, #16]\ne12fff30\tblx\tr0\ne356000f\tcm\tr6, #15\n1a000014\tbne\tc06f1430 \u003cemulate_ldr+0xac\u003e\ne1a06000\tmov\tr6, r0\ne2840040\tadd\tr0, r4, #64     ; 0x40\n......\n\nwhen running in emulate_ldr to simulate the ldr instruction, panic\noccurred, and the log is as follows:\nUnable to handle kernel NULL pointer dereference at virtual address\n00000090\npgd = ecb46400\n[00000090] *pgd=2e0fa003, *pmd=00000000\nInternal error: Oops: 206 [#1] SMP ARM\nPC is at cap_capable+0x14/0xb0\nLR is at emulate_ldr+0x50/0xc0\npsr: 600d0293 sp : ecd63af8  ip : 00000004  fp : c0a7c30c\nr10: 00000000  r9 : c30897f4  r8 : ecd63cd4\nr7 : 0000000f  r6 : 0000000a  r5 : e59fa090  r4 : ecd63c98\nr3 : c06ae294  r2 : 00000000  r1 : b7611300  r0 : bf4ec008\nFlags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user\nControl: 32c5387d  Table: 2d546400  DAC: 55555555\nProcess bash (pid: 1643, stack limit = 0xecd60190)\n(cap_capable) from (kprobe_handler+0x218/0x340)\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\n(cap_vm_enough_memory) from\n(security_vm_enough_memory_mm+0x48/0x6c)\n(security_vm_enough_memory_mm) from\n(copy_process.constprop.5+0x16b4/0x25c8)\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\n(_do_fork) from (SyS_clone+0x1c/0x24)\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-20T10:57:02.190Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1515e72aae803fc6b466adf918e71c4e4c9d5b3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba1863be105b06e10d0e2f6b1b8a0570801cfc71"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b59b0a53c840921b625378f137e88adfa87647e"
        }
      ],
      "title": "ARM: 9170/1: fix panic when kasan and kprobe are enabled",
      "x_generator": {
        "engine": "bippy-7d53e8ef8be4"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47618",
    "datePublished": "2024-06-20T10:57:02.190Z",
    "dateReserved": "2024-06-19T14:55:32.795Z",
    "dateUpdated": "2024-08-04T05:47:40.829Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47618\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-20T11:15:54.477\",\"lastModified\":\"2024-06-20T12:43:25.663\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nARM: 9170/1: fix panic when kasan and kprobe are enabled\\n\\narm32 uses software to simulate the instruction replaced\\nby kprobe. some instructions may be simulated by constructing\\nassembly functions. therefore, before executing instruction\\nsimulation, it is necessary to construct assembly function\\nexecution environment in C language through binding registers.\\nafter kasan is enabled, the register binding relationship will\\nbe destroyed, resulting in instruction simulation errors and\\ncausing kernel panic.\\n\\nthe kprobe emulate instruction function is distributed in three\\nfiles: actions-common.c actions-arm.c actions-thumb.c, so disable\\nKASAN when compiling these files.\\n\\nfor example, use kprobe insert on cap_capable+20 after kasan\\nenabled, the cap_capable assembly code is as follows:\\n\u003ccap_capable\u003e:\\ne92d47f0\\tpush\\t{r4, r5, r6, r7, r8, r9, sl, lr}\\ne1a05000\\tmov\\tr5, r0\\ne280006c\\tadd\\tr0, r0, #108    ; 0x6c\\ne1a04001\\tmov\\tr4, r1\\ne1a06002\\tmov\\tr6, r2\\ne59fa090\\tldr\\tsl, [pc, #144]  ;\\nebfc7bf8\\tbl\\tc03aa4b4 \u003c__asan_load4\u003e\\ne595706c\\tldr\\tr7, [r5, #108]  ; 0x6c\\ne2859014\\tadd\\tr9, r5, #20\\n......\\nThe emulate_ldr assembly code after enabling kasan is as follows:\\nc06f1384 \u003cemulate_ldr\u003e:\\ne92d47f0\\tpush\\t{r4, r5, r6, r7, r8, r9, sl, lr}\\ne282803c\\tadd\\tr8, r2, #60     ; 0x3c\\ne1a05000\\tmov\\tr5, r0\\ne7e37855\\tubfx\\tr7, r5, #16, #4\\ne1a00008\\tmov\\tr0, r8\\ne1a09001\\tmov\\tr9, r1\\ne1a04002\\tmov\\tr4, r2\\nebf35462\\tbl\\tc03c6530 \u003c__asan_load4\u003e\\ne357000f\\tcmp\\tr7, #15\\ne7e36655\\tubfx\\tr6, r5, #12, #4\\ne205a00f\\tand\\tsl, r5, #15\\n0a000001\\tbeq\\tc06f13bc \u003cemulate_ldr+0x38\u003e\\ne0840107\\tadd\\tr0, r4, r7, lsl #2\\nebf3545c\\tbl\\tc03c6530 \u003c__asan_load4\u003e\\ne084010a\\tadd\\tr0, r4, sl, lsl #2\\nebf3545a\\tbl\\tc03c6530 \u003c__asan_load4\u003e\\ne2890010\\tadd\\tr0, r9, #16\\nebf35458\\tbl\\tc03c6530 \u003c__asan_load4\u003e\\ne5990010\\tldr\\tr0, [r9, #16]\\ne12fff30\\tblx\\tr0\\ne356000f\\tcm\\tr6, #15\\n1a000014\\tbne\\tc06f1430 \u003cemulate_ldr+0xac\u003e\\ne1a06000\\tmov\\tr6, r0\\ne2840040\\tadd\\tr0, r4, #64     ; 0x40\\n......\\n\\nwhen running in emulate_ldr to simulate the ldr instruction, panic\\noccurred, and the log is as follows:\\nUnable to handle kernel NULL pointer dereference at virtual address\\n00000090\\npgd = ecb46400\\n[00000090] *pgd=2e0fa003, *pmd=00000000\\nInternal error: Oops: 206 [#1] SMP ARM\\nPC is at cap_capable+0x14/0xb0\\nLR is at emulate_ldr+0x50/0xc0\\npsr: 600d0293 sp : ecd63af8  ip : 00000004  fp : c0a7c30c\\nr10: 00000000  r9 : c30897f4  r8 : ecd63cd4\\nr7 : 0000000f  r6 : 0000000a  r5 : e59fa090  r4 : ecd63c98\\nr3 : c06ae294  r2 : 00000000  r1 : b7611300  r0 : bf4ec008\\nFlags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user\\nControl: 32c5387d  Table: 2d546400  DAC: 55555555\\nProcess bash (pid: 1643, stack limit = 0xecd60190)\\n(cap_capable) from (kprobe_handler+0x218/0x340)\\n(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)\\n(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)\\n(do_undefinstr) from (__und_svc_finish+0x0/0x30)\\n(__und_svc_finish) from (cap_capable+0x18/0xb0)\\n(cap_capable) from (cap_vm_enough_memory+0x38/0x48)\\n(cap_vm_enough_memory) from\\n(security_vm_enough_memory_mm+0x48/0x6c)\\n(security_vm_enough_memory_mm) from\\n(copy_process.constprop.5+0x16b4/0x25c8)\\n(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)\\n(_do_fork) from (SyS_clone+0x1c/0x24)\\n(SyS_clone) from (__sys_trace_return+0x0/0x10)\\nCode: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ARM: 9170/1: soluciona el p\u00e1nico cuando kasan y kprobe est\u00e1n habilitados arm32 usa software para simular la instrucci\u00f3n reemplazada por kprobe. Algunas instrucciones pueden simularse mediante la construcci\u00f3n de funciones de ensamblaje. por lo tanto, antes de ejecutar la simulaci\u00f3n de instrucciones, es necesario construir un entorno de ejecuci\u00f3n de funciones de ensamblaje en lenguaje C mediante registros vinculantes. despu\u00e9s de habilitar kasan, la relaci\u00f3n de enlace de registros se destruir\u00e1, lo que provocar\u00e1 errores de simulaci\u00f3n de instrucciones y provocar\u00e1 p\u00e1nico en el kernel. La funci\u00f3n de emulaci\u00f3n de instrucciones de kprobe se distribuye en tres archivos: acciones-common.c acciones-arm.c acciones-thumb.c, por lo tanto, desactive KASAN al compilar estos archivos. por ejemplo, use kprobe insert en cap_capable+20 despu\u00e9s de habilitar kasan, el c\u00f3digo ensamblador de cap_capable es el siguiente: : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c agregue r0, r0, #108; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [ordenador personal, #144]; ebfc7bf8 bl c03aa4b4 \u0026lt;__asan_load4\u0026gt; e595706c ldr r7, [r5, #108]; 0x6c e2859014 add r9, r5, #20 ...... El c\u00f3digo ensamblador emulate_ldr despu\u00e9s de habilitar kasan es el siguiente: c06f1384 : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c agregue r8, r2, #60; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 \u0026lt;__asan_load 4\u0026gt; e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f y sl, r5, #15 0a000001 beq c06f13bc  e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 \u0026lt;__asan_load4\u0026gt; e084010a add r0, 4, sl, lsl #2 ebf3545a bl c03c6530 \u0026lt;__asan_load4\u0026gt; e2890010 agregar r0, r9, #16 ebf35458 bl c03c6530 \u0026lt;__asan_load4\u0026gt; e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 14 bne c06f1430  e1a06000 mov r6, r0 e2840040 agregar r0, r4, #64; 0x40 ...... cuando se ejecuta emulate_ldr para simular la instrucci\u00f3n ldr, se produce p\u00e1nico y el registro es el siguiente: No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, * pmd=00000000 Error interno: Ups: 206 [#1] La PC SMP ARM est\u00e1 en cap_capable+0x14/0xb0 LR est\u00e1 en emulate_ldr+0x50/0xc0 psr: 600d0293 sp: ecd63af8 ip: 00000004 fp: c0a7c30c r10: r9: c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Banderas: nZCv IRQ desactivadas FIQ activadas Modo SVC_3 2 Usuario de segmento ISA ARM Control: 32c5387d Tabla: 2d546400 DAC: 55555555 Proceso bash (pid: 1643, l\u00edmite de pila = 0xecd60190) (cap_capable) de (kprobe_handler+0x218/0x340) (kprobe_handler) de (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) de (do_undefinstr+0x13c/0x364) (do_undefinstr) de (__ und_svc_finish+ 0x0/0x30) (__und_svc_finish) de (cap_capable+0x18/0xb0) (cap_capable) de (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) de (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) de (copy_process .constprop.5+0x16b4/ 0x25c8) (copy_process.constprop.5) de (_do_fork+0xe8/0x55c) (_do_fork) de (SyS_clone+0x1c/0x24) (SyS_clone) de (__sys_trace_return+0x0/0x10) C\u00f3digo: 0050a0e1 6c0080e2 0260a0e1 (f801f0e7)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1515e72aae803fc6b466adf918e71c4e4c9d5b3d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8b59b0a53c840921b625378f137e88adfa87647e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ba1863be105b06e10d0e2f6b1b8a0570801cfc71\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.