cve/published/2021/CVE-2021-47274.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47274: tracing: Correct the length check which causes memory corruption

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tracing: Correct the length check which causes memory corruption

 We've suffered from severe kernel crashes due to memory corruption on
 our production environment, like,

 Call Trace:
 [1640542.554277] general protection fault: 0000 [#1] SMP PTI
 [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G
 [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190
 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286
 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX:
 0000000006e931bf
 [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI:
 ffff9a45ff004300
 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09:
 0000000000000000
 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12:
 ffffffff9a20608d
 [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15:
 696c662f65636976
 [1640542.563128] FS:  00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000)
 knlGS:0000000000000000
 [1640542.563937] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4:
 00000000003606e0
 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
 0000000000000000
 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
 0000000000000400
 [1640542.566742] Call Trace:
 [1640542.567009]  anon_vma_clone+0x5d/0x170
 [1640542.567417]  __split_vma+0x91/0x1a0
 [1640542.567777]  do_munmap+0x2c6/0x320
 [1640542.568128]  vm_munmap+0x54/0x70
 [1640542.569990]  __x64_sys_munmap+0x22/0x30
 [1640542.572005]  do_syscall_64+0x5b/0x1b0
 [1640542.573724]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 [1640542.575642] RIP: 0033:0x7f45d6e61e27

 James Wang has reproduced it stably on the latest 4.19 LTS.
 After some debugging, we finally proved that it's due to ftrace
 buffer out-of-bound access using a debug tool as follows:
 [   86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000
 [   86.780806]  no_context+0xdf/0x3c0
 [   86.784327]  __do_page_fault+0x252/0x470
 [   86.788367]  do_page_fault+0x32/0x140
 [   86.792145]  page_fault+0x1e/0x30
 [   86.795576]  strncpy_from_unsafe+0x66/0xb0
 [   86.799789]  fetch_memory_string+0x25/0x40
 [   86.804002]  fetch_deref_string+0x51/0x60
 [   86.808134]  kprobe_trace_func+0x32d/0x3a0
 [   86.812347]  kprobe_dispatcher+0x45/0x50
 [   86.816385]  kprobe_ftrace_handler+0x90/0xf0
 [   86.820779]  ftrace_ops_assist_func+0xa1/0x140
 [   86.825340]  0xffffffffc00750bf
 [   86.828603]  do_sys_open+0x5/0x1f0
 [   86.832124]  do_syscall_64+0x5b/0x1b0
 [   86.835900]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

 commit b220c049d519 ("tracing: Check length before giving out
 the filter buffer") adds length check to protect trace data
 overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent
 overflow entirely, the length check should also take the sizeof
 entry->array[0] into account, since this array[0] is filled the
 length of trace data and occupy addtional space and risk overflow.

 The Linux kernel CVE team has assigned CVE-2021-47274 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.9.258 with commit 2e584b1a02eeb860e286d39bc408b25ebc5ec844 and fixed in 4.9.273 with commit edcce01e0e50840a9aa6a70baed21477bdd2c9f9
 	Issue introduced in 4.14.222 with commit e46d433754420b4d6513ca389403de88a0910279 and fixed in 4.14.237 with commit 2d598902799886d67947406f26ee8e5fd2ca097f
 	Issue introduced in 4.19.177 with commit 0572fc6a510add9029b113239eaabf4b5bce8ec9 and fixed in 4.19.195 with commit 31ceae385556c37e4d286cb6378696448f566883
 	Issue introduced in 5.4.99 with commit a0997a86f5c0085e183ddee5fb72091d584d3d16 and fixed in 5.4.126 with commit d63f00ec908b3be635ead5d6029cc94246e1f38d
 	Issue introduced in 5.10.17 with commit 7c93d8cff582c459350d6f8906eea6e4cd60d959 and fixed in 5.10.44 with commit 43c32c22254b9328d7abb1c2b0f689dc67838e60
 	Issue introduced in 5.11 with commit b220c049d5196dd94d992dd2dc8cba1a5e6123bf and fixed in 5.12.11 with commit b16a249eca2230c2cd66fa1d4b94743bd9b6ef92
 	Issue introduced in 5.11 with commit b220c049d5196dd94d992dd2dc8cba1a5e6123bf and fixed in 5.13 with commit 3e08a9f9760f4a70d633c328a76408e62d6f80a3

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47274
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/trace/trace.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/edcce01e0e50840a9aa6a70baed21477bdd2c9f9
 	https://git.kernel.org/stable/c/2d598902799886d67947406f26ee8e5fd2ca097f
 	https://git.kernel.org/stable/c/31ceae385556c37e4d286cb6378696448f566883
 	https://git.kernel.org/stable/c/d63f00ec908b3be635ead5d6029cc94246e1f38d
 	https://git.kernel.org/stable/c/43c32c22254b9328d7abb1c2b0f689dc67838e60
 	https://git.kernel.org/stable/c/b16a249eca2230c2cd66fa1d4b94743bd9b6ef92
 	https://git.kernel.org/stable/c/3e08a9f9760f4a70d633c328a76408e62d6f80a3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47274: tracing: Correct the length check which causes memory corruption

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tracing: Correct the length check which causes memory corruption

	We've suffered from severe kernel crashes due to memory corruption on
	our production environment, like,

	Call Trace:
	[1640542.554277] general protection fault: 0000 [#1] SMP PTI
	[1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G
	[1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190
	[1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286
	[1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX:
	0000000006e931bf
	[1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI:
	ffff9a45ff004300
	[1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09:
	0000000000000000
	[1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12:
	ffffffff9a20608d
	[1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15:
	696c662f65636976
	[1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000)
	knlGS:0000000000000000
	[1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4:
	00000000003606e0
	[1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
	0000000000000000
	[1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
	0000000000000400
	[1640542.566742] Call Trace:
	[1640542.567009] anon_vma_clone+0x5d/0x170
	[1640542.567417] __split_vma+0x91/0x1a0
	[1640542.567777] do_munmap+0x2c6/0x320
	[1640542.568128] vm_munmap+0x54/0x70
	[1640542.569990] __x64_sys_munmap+0x22/0x30
	[1640542.572005] do_syscall_64+0x5b/0x1b0
	[1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9
	[1640542.575642] RIP: 0033:0x7f45d6e61e27

	James Wang has reproduced it stably on the latest 4.19 LTS.
	After some debugging, we finally proved that it's due to ftrace
	buffer out-of-bound access using a debug tool as follows:
	[ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000
	[ 86.780806] no_context+0xdf/0x3c0
	[ 86.784327] __do_page_fault+0x252/0x470
	[ 86.788367] do_page_fault+0x32/0x140
	[ 86.792145] page_fault+0x1e/0x30
	[ 86.795576] strncpy_from_unsafe+0x66/0xb0
	[ 86.799789] fetch_memory_string+0x25/0x40
	[ 86.804002] fetch_deref_string+0x51/0x60
	[ 86.808134] kprobe_trace_func+0x32d/0x3a0
	[ 86.812347] kprobe_dispatcher+0x45/0x50
	[ 86.816385] kprobe_ftrace_handler+0x90/0xf0
	[ 86.820779] ftrace_ops_assist_func+0xa1/0x140
	[ 86.825340] 0xffffffffc00750bf
	[ 86.828603] do_sys_open+0x5/0x1f0
	[ 86.832124] do_syscall_64+0x5b/0x1b0
	[ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9

	commit b220c049d519 ("tracing: Check length before giving out
	the filter buffer") adds length check to protect trace data
	overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent
	overflow entirely, the length check should also take the sizeof
	entry->array[0] into account, since this array[0] is filled the
	length of trace data and occupy addtional space and risk overflow.

	The Linux kernel CVE team has assigned CVE-2021-47274 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.9.258 with commit 2e584b1a02eeb860e286d39bc408b25ebc5ec844 and fixed in 4.9.273 with commit edcce01e0e50840a9aa6a70baed21477bdd2c9f9
	Issue introduced in 4.14.222 with commit e46d433754420b4d6513ca389403de88a0910279 and fixed in 4.14.237 with commit 2d598902799886d67947406f26ee8e5fd2ca097f
	Issue introduced in 4.19.177 with commit 0572fc6a510add9029b113239eaabf4b5bce8ec9 and fixed in 4.19.195 with commit 31ceae385556c37e4d286cb6378696448f566883
	Issue introduced in 5.4.99 with commit a0997a86f5c0085e183ddee5fb72091d584d3d16 and fixed in 5.4.126 with commit d63f00ec908b3be635ead5d6029cc94246e1f38d
	Issue introduced in 5.10.17 with commit 7c93d8cff582c459350d6f8906eea6e4cd60d959 and fixed in 5.10.44 with commit 43c32c22254b9328d7abb1c2b0f689dc67838e60
	Issue introduced in 5.11 with commit b220c049d5196dd94d992dd2dc8cba1a5e6123bf and fixed in 5.12.11 with commit b16a249eca2230c2cd66fa1d4b94743bd9b6ef92
	Issue introduced in 5.11 with commit b220c049d5196dd94d992dd2dc8cba1a5e6123bf and fixed in 5.13 with commit 3e08a9f9760f4a70d633c328a76408e62d6f80a3

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47274
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/trace/trace.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/edcce01e0e50840a9aa6a70baed21477bdd2c9f9
	https://git.kernel.org/stable/c/2d598902799886d67947406f26ee8e5fd2ca097f
	https://git.kernel.org/stable/c/31ceae385556c37e4d286cb6378696448f566883
	https://git.kernel.org/stable/c/d63f00ec908b3be635ead5d6029cc94246e1f38d
	https://git.kernel.org/stable/c/43c32c22254b9328d7abb1c2b0f689dc67838e60
	https://git.kernel.org/stable/c/b16a249eca2230c2cd66fa1d4b94743bd9b6ef92
	https://git.kernel.org/stable/c/3e08a9f9760f4a70d633c328a76408e62d6f80a3