fkie_cve-2021-47632
Vulnerability from fkie_nvd
Published
2025-02-26 06:37
Modified
2025-03-18 19:35
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: powerpc/set_memory: Avoid spinlock recursion in change_page_attr() Commit 1f9ad21c3b38 ("powerpc/mm: Implement set_memory() routines") included a spin_lock() to change_page_attr() in order to safely perform the three step operations. But then commit 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") modify it to use pte_update() and do the operation safely against concurrent access. In the meantime, Maxime reported some spinlock recursion. [ 15.351649] BUG: spinlock recursion on CPU#0, kworker/0:2/217 [ 15.357540] lock: init_mm+0x3c/0x420, .magic: dead4ead, .owner: kworker/0:2/217, .owner_cpu: 0 [ 15.366563] CPU: 0 PID: 217 Comm: kworker/0:2 Not tainted 5.15.0+ #523 [ 15.373350] Workqueue: events do_free_init [ 15.377615] Call Trace: [ 15.380232] [e4105ac0] [800946a4] do_raw_spin_lock+0xf8/0x120 (unreliable) [ 15.387340] [e4105ae0] [8001f4ec] change_page_attr+0x40/0x1d4 [ 15.393413] [e4105b10] [801424e0] __apply_to_page_range+0x164/0x310 [ 15.400009] [e4105b60] [80169620] free_pcp_prepare+0x1e4/0x4a0 [ 15.406045] [e4105ba0] [8016c5a0] free_unref_page+0x40/0x2b8 [ 15.411979] [e4105be0] [8018724c] kasan_depopulate_vmalloc_pte+0x6c/0x94 [ 15.418989] [e4105c00] [801424e0] __apply_to_page_range+0x164/0x310 [ 15.425451] [e4105c50] [80187834] kasan_release_vmalloc+0xbc/0x134 [ 15.431898] [e4105c70] [8015f7a8] __purge_vmap_area_lazy+0x4e4/0xdd8 [ 15.438560] [e4105d30] [80160d10] _vm_unmap_aliases.part.0+0x17c/0x24c [ 15.445283] [e4105d60] [801642d0] __vunmap+0x2f0/0x5c8 [ 15.450684] [e4105db0] [800e32d0] do_free_init+0x68/0x94 [ 15.456181] [e4105dd0] [8005d094] process_one_work+0x4bc/0x7b8 [ 15.462283] [e4105e90] [8005d614] worker_thread+0x284/0x6e8 [ 15.468227] [e4105f00] [8006aaec] kthread+0x1f0/0x210 [ 15.473489] [e4105f40] [80017148] ret_from_kernel_thread+0x14/0x1c Remove the read / modify / write sequence to make the operation atomic and remove the spin_lock() in change_page_attr(). To do the operation atomically, we can't use pte modification helpers anymore. Because all platforms have different combination of bits, it is not easy to use those bits directly. But all have the _PAGE_KERNEL_{RO/ROX/RW/RWX} set of flags. All we need it to compare two sets to know which bits are set or cleared. For instance, by comparing _PAGE_KERNEL_ROX and _PAGE_KERNEL_RO you know which bit gets cleared and which bit get set when changing exec permission.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6def4eaf0391f24be541633a954c0e4876858b1ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6ebe5ca2cbe438a688f2ae238ef5a0b0b5f3468aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/96917107e67846f1d959ed03be281048efad14c5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a4c182ecf33584b9b2d1aa9dad073014a504c01fPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE872F08-121D-4AE8-82B9-2B5DA905C944",
              "versionEndExcluding": "5.15.34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABBBA66E-0244-4621-966B-9790AF1EEB00",
              "versionEndExcluding": "5.16.20",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE420AC7-1E59-4398-B84F-71F4B4337762",
              "versionEndExcluding": "5.17.3",
              "versionStartIncluding": "5.17",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/set_memory: Avoid spinlock recursion in change_page_attr()\n\nCommit 1f9ad21c3b38 (\"powerpc/mm: Implement set_memory() routines\")\nincluded a spin_lock() to change_page_attr() in order to\nsafely perform the three step operations. But then\ncommit 9f7853d7609d (\"powerpc/mm: Fix set_memory_*() against\nconcurrent accesses\") modify it to use pte_update() and do\nthe operation safely against concurrent access.\n\nIn the meantime, Maxime reported some spinlock recursion.\n\n[   15.351649] BUG: spinlock recursion on CPU#0, kworker/0:2/217\n[   15.357540]  lock: init_mm+0x3c/0x420, .magic: dead4ead, .owner: kworker/0:2/217, .owner_cpu: 0\n[   15.366563] CPU: 0 PID: 217 Comm: kworker/0:2 Not tainted 5.15.0+ #523\n[   15.373350] Workqueue: events do_free_init\n[   15.377615] Call Trace:\n[   15.380232] [e4105ac0] [800946a4] do_raw_spin_lock+0xf8/0x120 (unreliable)\n[   15.387340] [e4105ae0] [8001f4ec] change_page_attr+0x40/0x1d4\n[   15.393413] [e4105b10] [801424e0] __apply_to_page_range+0x164/0x310\n[   15.400009] [e4105b60] [80169620] free_pcp_prepare+0x1e4/0x4a0\n[   15.406045] [e4105ba0] [8016c5a0] free_unref_page+0x40/0x2b8\n[   15.411979] [e4105be0] [8018724c] kasan_depopulate_vmalloc_pte+0x6c/0x94\n[   15.418989] [e4105c00] [801424e0] __apply_to_page_range+0x164/0x310\n[   15.425451] [e4105c50] [80187834] kasan_release_vmalloc+0xbc/0x134\n[   15.431898] [e4105c70] [8015f7a8] __purge_vmap_area_lazy+0x4e4/0xdd8\n[   15.438560] [e4105d30] [80160d10] _vm_unmap_aliases.part.0+0x17c/0x24c\n[   15.445283] [e4105d60] [801642d0] __vunmap+0x2f0/0x5c8\n[   15.450684] [e4105db0] [800e32d0] do_free_init+0x68/0x94\n[   15.456181] [e4105dd0] [8005d094] process_one_work+0x4bc/0x7b8\n[   15.462283] [e4105e90] [8005d614] worker_thread+0x284/0x6e8\n[   15.468227] [e4105f00] [8006aaec] kthread+0x1f0/0x210\n[   15.473489] [e4105f40] [80017148] ret_from_kernel_thread+0x14/0x1c\n\nRemove the read / modify / write sequence to make the operation atomic\nand remove the spin_lock() in change_page_attr().\n\nTo do the operation atomically, we can\u0027t use pte modification helpers\nanymore. Because all platforms have different combination of bits, it\nis not easy to use those bits directly. But all have the\n_PAGE_KERNEL_{RO/ROX/RW/RWX} set of flags. All we need it to compare\ntwo sets to know which bits are set or cleared.\n\nFor instance, by comparing _PAGE_KERNEL_ROX and _PAGE_KERNEL_RO you\nknow which bit gets cleared and which bit get set when changing exec\npermission."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/set_memory: Evitar recursi\u00f3n de spinlock en change_page_attr() La confirmaci\u00f3n 1f9ad21c3b38 (\"powerpc/mm: Implementar rutinas set_memory()\") incluy\u00f3 un spin_lock() en change_page_attr() para realizar de forma segura las operaciones de tres pasos. Pero luego, la confirmaci\u00f3n 9f7853d7609d (\"powerpc/mm: Arreglar set_memory_*() contra accesos concurrentes\") lo modific\u00f3 para usar pte_update() y realizar la operaci\u00f3n de forma segura contra accesos concurrentes. Mientras tanto, Maxime inform\u00f3 de cierta recursi\u00f3n de spinlock. [ 15.351649] ERROR: recursi\u00f3n de spinlock en CPU#0, kworker/0:2/217 [ 15.357540] bloqueo: init_mm+0x3c/0x420, .magic: dead4ead, .owner: kworker/0:2/217, .owner_cpu: 0 [ 15.366563] CPU: 0 PID: 217 Comm: kworker/0:2 No contaminado 5.15.0+ #523 [ 15.373350] Cola de trabajo: events do_free_init [ 15.377615] Call Trace: [ 15.380232] [e4105ac0] [800946a4] do_raw_spin_lock+0xf8/0x120 (unreliable) [ 15.387340] [e4105ae0] [8001f4ec] change_page_attr+0x40/0x1d4 [ 15.393413] [e4105b10] [801424e0] __apply_to_page_range+0x164/0x310 [ 15.400009] [e4105b60] [80169620] free_pcp_prepare+0x1e4/0x4a0 [ 15.406045] [e4105ba0] [8016c5a0] free_unref_page+0x40/0x2b8 [ 15.411979] [e4105be0] [8018724c] kasan_depopulate_vmalloc_pte+0x6c/0x94 [ 15.418989] [e4105c00] [801424e0] __apply_to_page_range+0x164/0x310 [ 15.425451] [e4105c50] [80187834] kasan_release_vmalloc+0xbc/0x134 [ 15.431898] [e4105c70] [8015f7a8] __purge_vmap_area_lazy+0x4e4/0xdd8 [ 15.438560] [e4105d30] [80160d10] _vm_unmap_aliases.part.0+0x17c/0x24c [ 15.445283] [e4105d60] [801642d0] __vunmap+0x2f0/0x5c8 [ 15.450684] [e4105db0] [800e32d0] do_free_init+0x68/0x94 [ 15.456181] [e4105dd0] [8005d094] process_one_work+0x4bc/0x7b8 [ 15.462283] [e4105e90] [8005d614] worker_thread+0x284/0x6e8 [ 15.468227] [e4105f00] [8006aaec] kthread+0x1f0/0x210 [ 15.473489] [e4105f40] [80017148] ret_from_kernel_thread+0x14/0x1c Elimina la secuencia de lectura/modificaci\u00f3n/escritura para hacer que la operaci\u00f3n sea at\u00f3mica y elimina el spin_lock() en change_page_attr(). Para hacer la operaci\u00f3n de forma at\u00f3mica, ya no podemos usar ayudantes de modificaci\u00f3n de pte. Debido a que todas las plataformas tienen diferentes combinaciones de bits, no es f\u00e1cil usar esos bits directamente. Pero todas tienen el conjunto de indicadores _PAGE_KERNEL_{RO/ROX/RW/RWX}. Todo lo que necesitamos es comparar dos conjuntos para saber qu\u00e9 bits est\u00e1n configurados o borrados. Por ejemplo, al comparar _PAGE_KERNEL_ROX y _PAGE_KERNEL_RO sabes qu\u00e9 bit se borra y qu\u00e9 bit se configura al cambiar el permiso de ejecuci\u00f3n."
    }
  ],
  "id": "CVE-2021-47632",
  "lastModified": "2025-03-18T19:35:06.943",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-26T06:37:04.943",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6def4eaf0391f24be541633a954c0e4876858b1e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6ebe5ca2cbe438a688f2ae238ef5a0b0b5f3468a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/96917107e67846f1d959ed03be281048efad14c5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a4c182ecf33584b9b2d1aa9dad073014a504c01f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-667"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.