CVE-2021-47274

Description

In the Linux kernel, the following vulnerability has been resolved: tracing: Correct the length check which causes memory corruption We've suffered from severe kernel crashes due to memory corruption on our production environment, like, Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: 0000000006e931bf [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: ffff9a45ff004300 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: 0000000000000000 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9a20608d [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: 696c662f65636976 [1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) knlGS:0000000000000000 [1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: 00000000003606e0 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1640542.566742] Call Trace: [1640542.567009] anon_vma_clone+0x5d/0x170 [1640542.567417] __split_vma+0x91/0x1a0 [1640542.567777] do_munmap+0x2c6/0x320 [1640542.568128] vm_munmap+0x54/0x70 [1640542.569990] __x64_sys_munmap+0x22/0x30 [1640542.572005] do_syscall_64+0x5b/0x1b0 [1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [1640542.575642] RIP: 0033:0x7f45d6e61e27 James Wang has reproduced it stably on the latest 4.19 LTS. After some debugging, we finally proved that it's due to ftrace buffer out-of-bound access using a debug tool as follows: [ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 [ 86.780806] no_context+0xdf/0x3c0 [ 86.784327] __do_page_fault+0x252/0x470 [ 86.788367] do_page_fault+0x32/0x140 [ 86.792145] page_fault+0x1e/0x30 [ 86.795576] strncpy_from_unsafe+0x66/0xb0 [ 86.799789] fetch_memory_string+0x25/0x40 [ 86.804002] fetch_deref_string+0x51/0x60 [ 86.808134] kprobe_trace_func+0x32d/0x3a0 [ 86.812347] kprobe_dispatcher+0x45/0x50 [ 86.816385] kprobe_ftrace_handler+0x90/0xf0 [ 86.820779] ftrace_ops_assist_func+0xa1/0x140 [ 86.825340] 0xffffffffc00750bf [ 86.828603] do_sys_open+0x5/0x1f0 [ 86.832124] do_syscall_64+0x5b/0x1b0 [ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9 commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds length check to protect trace data overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent overflow entirely, the length check should also take the sizeof entry->array[0] into account, since this array[0] is filled the length of trace data and occupy addtional space and risk overflow.

Comprehensive Technical Analysis of CVE-2021-47274

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2021-47274

Description: The vulnerability involves a memory corruption issue in the Linux kernel's tracing subsystem. Specifically, an incorrect length check in the tracing mechanism can lead to out-of-bounds memory access, resulting in severe kernel crashes and potential system instability.

Severity: The CVSS (Common Vulnerability Scoring System) score for this vulnerability is 9.8, indicating a critical severity level. This high score is due to the potential for complete system compromise, including arbitrary code execution and denial of service (DoS) attacks.

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Local Exploitation: An attacker with local access to the system can exploit this vulnerability by crafting specific system calls that trigger the memory corruption. This can lead to privilege escalation or denial of service.
Remote Exploitation: While less common, if an attacker can manipulate network packets or other inputs that interact with the kernel's tracing subsystem, remote exploitation is theoretically possible.

Exploitation Methods:

Buffer Overflow: By manipulating the length of trace data, an attacker can cause an out-of-bounds write, leading to memory corruption.
Kernel Panic: Exploiting this vulnerability can cause the kernel to panic, resulting in a system crash. This can be used for denial of service attacks.
Arbitrary Code Execution: In some cases, the memory corruption can be leveraged to execute arbitrary code with kernel privileges, leading to complete system compromise.

3. Affected Systems and Software Versions

Affected Systems:

Linux kernel versions prior to the patch that resolves this issue. Specifically, the vulnerability has been reproduced on the 4.19 LTS kernel version.

Software Versions:

All Linux distributions and systems running the affected kernel versions are potentially vulnerable. This includes but is not limited to:
- Ubuntu
- Debian
- CentOS
- Red Hat Enterprise Linux (RHEL)
- Fedora

4. Recommended Mitigation Strategies

Immediate Mitigation:

Apply Patches: Ensure that all systems are updated to the latest kernel version that includes the fix for CVE-2021-47274. The patches can be found in the references provided.
Kernel Configuration: Disable or restrict access to the tracing subsystem if it is not required for system operation.

Long-Term Mitigation:

Regular Updates: Implement a robust patch management process to ensure that all systems are regularly updated with the latest security patches.
Access Control: Limit access to the kernel's tracing subsystem to trusted users and processes.
Monitoring: Implement monitoring tools to detect and respond to unusual kernel activity that may indicate an exploitation attempt.

5. Impact on Cybersecurity Landscape

Immediate Impact:

System Stability: The vulnerability can lead to severe kernel crashes, impacting the stability and availability of affected systems.
Security Risks: Exploitation of this vulnerability can result in privilege escalation, arbitrary code execution, and denial of service attacks, posing significant security risks.

Long-Term Impact:

Increased Awareness: This vulnerability highlights the importance of thorough code reviews and testing, particularly for critical components like the kernel.
Patch Management: Organizations will need to prioritize kernel updates and patch management to mitigate similar vulnerabilities in the future.

6. Technical Details for Security Professionals

Technical Analysis:

Root Cause: The root cause of the vulnerability is an incorrect length check in the tracing subsystem, which allows for out-of-bounds memory access.
Call Trace: The provided call trace indicates that the issue occurs during memory allocation and manipulation, specifically in functions like kmem_cache_alloc and kprobe_trace_func.
Debugging: The issue was reproduced and debugged using tools that identified the out-of-bounds write at a specific memory address.

Patch Details:

Initial Fix: The initial patch (commit b220c049d519) added a length check to protect against trace data overflow.
Additional Fix: Further analysis revealed that the length check needed to account for the size of entry->array[0] to fully prevent overflow.

References:

By addressing this vulnerability promptly and thoroughly, organizations can mitigate the risks associated with CVE-2021-47274 and ensure the stability and security of their systems.

Description

Comprehensive Technical Analysis of CVE-2021-47274

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2021-47274

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Local Exploitation: An attacker with local access to the system can exploit this vulnerability by crafting specific system calls that trigger the memory corruption. This can lead to privilege escalation or denial of service.
Remote Exploitation: While less common, if an attacker can manipulate network packets or other inputs that interact with the kernel's tracing subsystem, remote exploitation is theoretically possible.

Exploitation Methods:

Buffer Overflow: By manipulating the length of trace data, an attacker can cause an out-of-bounds write, leading to memory corruption.
Kernel Panic: Exploiting this vulnerability can cause the kernel to panic, resulting in a system crash. This can be used for denial of service attacks.
Arbitrary Code Execution: In some cases, the memory corruption can be leveraged to execute arbitrary code with kernel privileges, leading to complete system compromise.

3. Affected Systems and Software Versions

Affected Systems:

Linux kernel versions prior to the patch that resolves this issue. Specifically, the vulnerability has been reproduced on the 4.19 LTS kernel version.

Software Versions:

All Linux distributions and systems running the affected kernel versions are potentially vulnerable. This includes but is not limited to:
- Ubuntu
- Debian
- CentOS
- Red Hat Enterprise Linux (RHEL)
- Fedora

4. Recommended Mitigation Strategies

Immediate Mitigation:

Apply Patches: Ensure that all systems are updated to the latest kernel version that includes the fix for CVE-2021-47274. The patches can be found in the references provided.
Kernel Configuration: Disable or restrict access to the tracing subsystem if it is not required for system operation.

Long-Term Mitigation:

Regular Updates: Implement a robust patch management process to ensure that all systems are regularly updated with the latest security patches.
Access Control: Limit access to the kernel's tracing subsystem to trusted users and processes.
Monitoring: Implement monitoring tools to detect and respond to unusual kernel activity that may indicate an exploitation attempt.

5. Impact on Cybersecurity Landscape

Immediate Impact:

System Stability: The vulnerability can lead to severe kernel crashes, impacting the stability and availability of affected systems.
Security Risks: Exploitation of this vulnerability can result in privilege escalation, arbitrary code execution, and denial of service attacks, posing significant security risks.

Long-Term Impact:

Increased Awareness: This vulnerability highlights the importance of thorough code reviews and testing, particularly for critical components like the kernel.
Patch Management: Organizations will need to prioritize kernel updates and patch management to mitigate similar vulnerabilities in the future.

6. Technical Details for Security Professionals

Technical Analysis:

Root Cause: The root cause of the vulnerability is an incorrect length check in the tracing subsystem, which allows for out-of-bounds memory access.
Call Trace: The provided call trace indicates that the issue occurs during memory allocation and manipulation, specifically in functions like kmem_cache_alloc and kprobe_trace_func.
Debugging: The issue was reproduced and debugged using tools that identified the out-of-bounds write at a specific memory address.

Patch Details:

Initial Fix: The initial patch (commit b220c049d519) added a length check to protect against trace data overflow.
Additional Fix: Further analysis revealed that the length check needed to account for the size of entry->array[0] to fully prevent overflow.

References:

By addressing this vulnerability promptly and thoroughly, organizations can mitigate the risks associated with CVE-2021-47274 and ensure the stability and security of their systems.

CVE-2021-47274

Weakness (CWE)

CVSS Vector

Description

Comprehensive Technical Analysis of CVE-2021-47274

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on Cybersecurity Landscape

6. Technical Details for Security Professionals

References

CVE-2021-47274

CVE-2021-47274

Weakness (CWE)

CVSS Vector

Description

Comprehensive Technical Analysis of CVE-2021-47274

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on Cybersecurity Landscape

6. Technical Details for Security Professionals

References