CVE-2021-47462
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/05/2024
Last modified:
03/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mm/mempolicy: do not allow illegal MPOL_F_NUMA_BALANCING | MPOL_LOCAL in mbind()<br />
<br />
syzbot reported access to unitialized memory in mbind() [1]<br />
<br />
Issue came with commit bda420b98505 ("numa balancing: migrate on fault<br />
among multiple bound nodes")<br />
<br />
This commit added a new bit in MPOL_MODE_FLAGS, but only checked valid<br />
combination (MPOL_F_NUMA_BALANCING can only be used with MPOL_BIND) in<br />
do_set_mempolicy()<br />
<br />
This patch moves the check in sanitize_mpol_flags() so that it is also<br />
used by mbind()<br />
<br />
[1]<br />
BUG: KMSAN: uninit-value in __mpol_equal+0x567/0x590 mm/mempolicy.c:2260<br />
__mpol_equal+0x567/0x590 mm/mempolicy.c:2260<br />
mpol_equal include/linux/mempolicy.h:105 [inline]<br />
vma_merge+0x4a1/0x1e60 mm/mmap.c:1190<br />
mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811<br />
do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333<br />
kernel_mbind mm/mempolicy.c:1483 [inline]<br />
__do_sys_mbind mm/mempolicy.c:1490 [inline]<br />
__se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486<br />
__x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
<br />
Uninit was created at:<br />
slab_alloc_node mm/slub.c:3221 [inline]<br />
slab_alloc mm/slub.c:3230 [inline]<br />
kmem_cache_alloc+0x751/0xff0 mm/slub.c:3235<br />
mpol_new mm/mempolicy.c:293 [inline]<br />
do_mbind+0x912/0x15f0 mm/mempolicy.c:1289<br />
kernel_mbind mm/mempolicy.c:1483 [inline]<br />
__do_sys_mbind mm/mempolicy.c:1490 [inline]<br />
__se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486<br />
__x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
=====================================================<br />
Kernel panic - not syncing: panic_on_kmsan set ...<br />
CPU: 0 PID: 15049 Comm: syz-executor.0 Tainted: G B 5.15.0-rc2-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br />
Call Trace:<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x1ff/0x28e lib/dump_stack.c:106<br />
dump_stack+0x25/0x28 lib/dump_stack.c:113<br />
panic+0x44f/0xdeb kernel/panic.c:232<br />
kmsan_report+0x2ee/0x300 mm/kmsan/report.c:186<br />
__msan_warning+0xd7/0x150 mm/kmsan/instrumentation.c:208<br />
__mpol_equal+0x567/0x590 mm/mempolicy.c:2260<br />
mpol_equal include/linux/mempolicy.h:105 [inline]<br />
vma_merge+0x4a1/0x1e60 mm/mmap.c:1190<br />
mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811<br />
do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333<br />
kernel_mbind mm/mempolicy.c:1483 [inline]<br />
__do_sys_mbind mm/mempolicy.c:1490 [inline]<br />
__se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486<br />
__x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.12 (including) | 5.14.15 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page