Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47640

Severity CVSS v4.0:
Pending analysis
Type:
CWE-787 Out-of-bounds Write
Publication date:
26/02/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/kasan: Fix early region not updated correctly<br /> <br /> The shadow&amp;#39;s page table is not updated when PTE_RPN_SHIFT is 24<br /> and PAGE_SHIFT is 12. It not only causes false positives but<br /> also false negative as shown the following text.<br /> <br /> Fix it by bringing the logic of kasan_early_shadow_page_entry here.<br /> <br /> 1. False Positive:<br /> ==================================================================<br /> BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50<br /> Write of size 16 at addr f57f3be0 by task swapper/0/1<br /> <br /> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1<br /> Call Trace:<br /> [c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable)<br /> [c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300<br /> [c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200<br /> [c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0<br /> [c80d1cc0] [c03018a4] memset+0x34/0x90<br /> [c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50<br /> [c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570<br /> [c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0<br /> [c80d1db0] [c2036580] init_sd+0xc4/0x1d0<br /> [c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c<br /> [c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384<br /> [c80d1ef0] [c0004b14] kernel_init+0x24/0x170<br /> [c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64<br /> <br /> Memory state around the buggy address:<br /> f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> &gt;f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ^<br /> f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ==================================================================<br /> <br /> 2. False Negative (with KASAN tests):<br /> ==================================================================<br /> Before fix:<br /> ok 45 - kmalloc_double_kzfree<br /> # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039<br /> KASAN failure expected in "((volatile char *)area)[3100]", but none occurred<br /> not ok 46 - vmalloc_oob<br /> not ok 1 - kasan<br /> <br /> ==================================================================<br /> After fix:<br /> ok 1 - kasan

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4 (including) 5.4.189 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.110 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.33 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.19 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 5.17.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools