CVE-2021-47618

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: 9170/1: fix panic when kasan and kprobe are enabled<br /> <br /> arm32 uses software to simulate the instruction replaced<br /> by kprobe. some instructions may be simulated by constructing<br /> assembly functions. therefore, before executing instruction<br /> simulation, it is necessary to construct assembly function<br /> execution environment in C language through binding registers.<br /> after kasan is enabled, the register binding relationship will<br /> be destroyed, resulting in instruction simulation errors and<br /> causing kernel panic.<br /> <br /> the kprobe emulate instruction function is distributed in three<br /> files: actions-common.c actions-arm.c actions-thumb.c, so disable<br /> KASAN when compiling these files.<br /> <br /> for example, use kprobe insert on cap_capable+20 after kasan<br /> enabled, the cap_capable assembly code is as follows:<br /> :<br /> e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr}<br /> e1a05000 mov r5, r0<br /> e280006c add r0, r0, #108 ; 0x6c<br /> e1a04001 mov r4, r1<br /> e1a06002 mov r6, r2<br /> e59fa090 ldr sl, [pc, #144] ;<br /> ebfc7bf8 bl c03aa4b4 <br /> e595706c ldr r7, [r5, #108] ; 0x6c<br /> e2859014 add r9, r5, #20<br /> ......<br /> The emulate_ldr assembly code after enabling kasan is as follows:<br /> c06f1384 :<br /> e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr}<br /> e282803c add r8, r2, #60 ; 0x3c<br /> e1a05000 mov r5, r0<br /> e7e37855 ubfx r7, r5, #16, #4<br /> e1a00008 mov r0, r8<br /> e1a09001 mov r9, r1<br /> e1a04002 mov r4, r2<br /> ebf35462 bl c03c6530 <br /> e357000f cmp r7, #15<br /> e7e36655 ubfx r6, r5, #12, #4<br /> e205a00f and sl, r5, #15<br /> 0a000001 beq c06f13bc <br /> e0840107 add r0, r4, r7, lsl #2<br /> ebf3545c bl c03c6530 <br /> e084010a add r0, r4, sl, lsl #2<br /> ebf3545a bl c03c6530 <br /> e2890010 add r0, r9, #16<br /> ebf35458 bl c03c6530 <br /> e5990010 ldr r0, [r9, #16]<br /> e12fff30 blx r0<br /> e356000f cm r6, #15<br /> 1a000014 bne c06f1430 <br /> e1a06000 mov r6, r0<br /> e2840040 add r0, r4, #64 ; 0x40<br /> ......<br /> <br /> when running in emulate_ldr to simulate the ldr instruction, panic<br /> occurred, and the log is as follows:<br /> Unable to handle kernel NULL pointer dereference at virtual address<br /> 00000090<br /> pgd = ecb46400<br /> [00000090] *pgd=2e0fa003, *pmd=00000000<br /> Internal error: Oops: 206 [#1] SMP ARM<br /> PC is at cap_capable+0x14/0xb0<br /> LR is at emulate_ldr+0x50/0xc0<br /> psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c<br /> r10: 00000000 r9 : c30897f4 r8 : ecd63cd4<br /> r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98<br /> r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008<br /> Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user<br /> Control: 32c5387d Table: 2d546400 DAC: 55555555<br /> Process bash (pid: 1643, stack limit = 0xecd60190)<br /> (cap_capable) from (kprobe_handler+0x218/0x340)<br /> (kprobe_handler) from (kprobe_trap_handler+0x24/0x48)<br /> (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)<br /> (do_undefinstr) from (__und_svc_finish+0x0/0x30)<br /> (__und_svc_finish) from (cap_capable+0x18/0xb0)<br /> (cap_capable) from (cap_vm_enough_memory+0x38/0x48)<br /> (cap_vm_enough_memory) from<br /> (security_vm_enough_memory_mm+0x48/0x6c)<br /> (security_vm_enough_memory_mm) from<br /> (copy_process.constprop.5+0x16b4/0x25c8)<br /> (copy_process.constprop.5) from (_do_fork+0xe8/0x55c)<br /> (_do_fork) from (SyS_clone+0x1c/0x24)<br /> (SyS_clone) from (__sys_trace_return+0x0/0x10)<br /> Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)