cve/published/2021/CVE-2021-47221.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47221: mm/slub: actually fix freelist pointer vs redzoning

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/slub: actually fix freelist pointer vs redzoning

 It turns out that SLUB redzoning ("slub_debug=Z") checks from
 s->object_size rather than from s->inuse (which is normally bumped to
 make room for the freelist pointer), so a cache created with an object
 size less than 24 would have the freelist pointer written beyond
 s->object_size, causing the redzone to be corrupted by the freelist
 pointer.  This was very visible with "slub_debug=ZF":

   BUG test (Tainted: G    B            ): Right Redzone overwritten
   -----------------------------------------------------------------------------

   INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb
   INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200
   INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620

   Redzone  (____ptrval____): bb bb bb bb bb bb bb bb               ........
   Object   (____ptrval____): 00 00 00 00 00 f6 f4 a5               ........
   Redzone  (____ptrval____): 40 1d e8 1a aa                        @....
   Padding  (____ptrval____): 00 00 00 00 00 00 00 00               ........

 Adjust the offset to stay within s->object_size.

 (Note that no caches of in this size range are known to exist in the
 kernel currently.)

 The Linux kernel CVE team has assigned CVE-2021-47221 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.7 with commit 89b83f282d8ba380cf2124f88106c57df49c538c and fixed in 5.10.46 with commit f6ed2357541612a13a5841b3af4dc32ed984a25f
 	Issue introduced in 5.7 with commit 89b83f282d8ba380cf2124f88106c57df49c538c and fixed in 5.12.13 with commit ce6e8bee7a3883e8008b30f5887dbb426aac6a35
 	Issue introduced in 5.7 with commit 89b83f282d8ba380cf2124f88106c57df49c538c and fixed in 5.13 with commit e41a49fadbc80b60b48d3c095d9e2ee7ef7c9a8e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47221
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/slub.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f6ed2357541612a13a5841b3af4dc32ed984a25f
 	https://git.kernel.org/stable/c/ce6e8bee7a3883e8008b30f5887dbb426aac6a35
 	https://git.kernel.org/stable/c/e41a49fadbc80b60b48d3c095d9e2ee7ef7c9a8e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47221: mm/slub: actually fix freelist pointer vs redzoning

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/slub: actually fix freelist pointer vs redzoning

	It turns out that SLUB redzoning ("slub_debug=Z") checks from
	s->object_size rather than from s->inuse (which is normally bumped to
	make room for the freelist pointer), so a cache created with an object
	size less than 24 would have the freelist pointer written beyond
	s->object_size, causing the redzone to be corrupted by the freelist
	pointer. This was very visible with "slub_debug=ZF":

	BUG test (Tainted: G B ): Right Redzone overwritten
	-----------------------------------------------------------------------------

	INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb
	INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200
	INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620

	Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........
	Object (____ptrval____): 00 00 00 00 00 f6 f4 a5 ........
	Redzone (____ptrval____): 40 1d e8 1a aa @....
	Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........

	Adjust the offset to stay within s->object_size.

	(Note that no caches of in this size range are known to exist in the
	kernel currently.)

	The Linux kernel CVE team has assigned CVE-2021-47221 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.7 with commit 89b83f282d8ba380cf2124f88106c57df49c538c and fixed in 5.10.46 with commit f6ed2357541612a13a5841b3af4dc32ed984a25f
	Issue introduced in 5.7 with commit 89b83f282d8ba380cf2124f88106c57df49c538c and fixed in 5.12.13 with commit ce6e8bee7a3883e8008b30f5887dbb426aac6a35
	Issue introduced in 5.7 with commit 89b83f282d8ba380cf2124f88106c57df49c538c and fixed in 5.13 with commit e41a49fadbc80b60b48d3c095d9e2ee7ef7c9a8e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47221
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/slub.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f6ed2357541612a13a5841b3af4dc32ed984a25f
	https://git.kernel.org/stable/c/ce6e8bee7a3883e8008b30f5887dbb426aac6a35
	https://git.kernel.org/stable/c/e41a49fadbc80b60b48d3c095d9e2ee7ef7c9a8e