CVE-2021-47566 – proc/vmcore: fix clearing user buffer by properly using clear_user()
https://notcve.org/view.php?id=CVE-2021-47566
In the Linux kernel, the following vulnerability has been resolved: proc/vmcore: fix clearing user buffer by properly using clear_user() To clear a user buffer we cannot simply use memset, we have to use clear_user(). With a virtio-mem device that registers a vmcore_cb and has some logically unplugged memory inside an added Linux memory block, I can easily trigger a BUG by copying the vmcore via "cp": systemd[1]: Starting Kdump Vmcore Save Service... kdump[420]: Kdump is using the default log level(3). kdump[453]: saving to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[458]: saving vmcore-dmesg.txt to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[465]: saving vmcore-dmesg.txt complete kdump[467]: saving vmcore BUG: unable to handle page fault for address: 00007f2374e01000 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867 Oops: 0003 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 468 Comm: cp Not tainted 5.15.0+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_from_oldmem.part.0.cold+0x1d/0x86 Code: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 c7 44 05 f8 00 00 00 00 48 83 e7 f81 RSP: 0018:ffffc9000073be08 EFLAGS: 00010212 RAX: 0000000000001000 RBX: 00000000002fd000 RCX: 00007f2374e01000 RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00007f2374e01008 RBP: 0000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50 R10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000 R13: 00007f2374e01000 R14: 0000000000000000 R15: ffff88807bd421e8 FS: 00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0 Call Trace: read_vmcore+0x236/0x2c0 proc_reg_read+0x55/0xa0 vfs_read+0x95/0x190 ksys_read+0x4f/0xc0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Some x86-64 CPUs have a CPU feature called "Supervisor Mode Access Prevention (SMAP)", which is used to detect wrong access from the kernel to user buffers like this: SMAP triggers a permissions violation on wrong access. In the x86-64 variant of clear_user(), SMAP is properly handled via clac()+stac(). To fix, properly use clear_user() when we're dealing with a user buffer. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: proc/vmcore: corrige el borrado del búfer del usuario usando correctamente clear_user() Para borrar un búfer de usuario no podemos simplemente usar memset, tenemos que usar clear_user(). Con un dispositivo virtio-mem que registra un vmcore_cb y tiene algo de memoria lógicamente desconectada dentro de un bloque de memoria de Linux agregado, puedo desencadenar fácilmente un ERROR copiando el vmcore a través de "cp": systemd[1]: Iniciando el servicio Kdump Vmcore Save. . kdump[420]: Kdump está utilizando el nivel de registro predeterminado (3). kdump[453]: guardar en /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[458]: guardar vmcore-dmesg.txt en /sysroot/var/crash/127.0 .0.1-2021-11-11-14:59:22/ kdump[465]: guardar vmcore-dmesg.txt completo kdump[467]: guardar vmcore ERROR: no se puede manejar el error de página para la dirección: 00007f2374e01000 #PF: escritura del supervisor acceso en modo kernel #PF: error_code(0x0003) - violación de permisos PGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867 Ups: 0003 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 468 Comm: p No contaminado 5.15.0+ # 6 Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 01/04/2014 RIP: 0010:read_from_oldmem.part.0.cold+0x1d/ 0x86 Código: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 C7 44 05 F8 00 00 00 00 48 83 E7 F81 RSP: 0018: FFFFFC9000073BE08 EFLAGS: 00010212 RAX: 00000000000000001000 RBX: 000000002FD000 RCX: 00007F2374E RSI: 000000000000FFFFDFFF RDI: 00007F2374E01008 RBP: 000000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50 R10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000 R13: 00007f2374e01000 R14: 0000000000000000 R15: 88807bd421e8 FS: 00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2 : 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0 Seguimiento de llamadas: read_vmcore+0x236/0x2c0 proc_reg_read+0x55/0xa0 vfs_read+0x95/0x190 do_syscall_64+0x3b/0x90 Entry_SYSCALL_64_after_hwframe+0x44/0xae Algunas CPU x86-64 tienen una función de CPU llamada "Prevención de acceso en modo supervisor (SMAP)", que se utiliza para detectar accesos incorrectos desde el kernel a los búferes de usuario como este: SMAP desencadena una violación de permisos en caso de acceso incorrecto. • https://git.kernel.org/stable/c/997c136f518c5debd63847e78e2a8694f56dcf90 https://git.kernel.org/stable/c/a9e164bd160be8cbee1df70acb379129e3cd2e7c https://git.kernel.org/stable/c/33a7d698f30fa0b99d50569e9909d3baa65d8f6a https://git.kernel.org/stable/c/99d348b82bcb36171f24411d3f1a15706a2a937a https://git.kernel.org/stable/c/9ef384ed300d1bcfb23d0ab0b487d544444d4b52 https://git.kernel.org/stable/c/fd7974c547abfb03072a4ee706d3a6f182266f89 https://git.kernel.org/stable/c/a8a917058faf4abaec9fb614bb6d5f8fe3529ec6 https://git.kernel.org/stable/c/7b3a34f08d11e7f05cd00b8e09adaa151 • CWE-501: Trust Boundary Violation •
CVE-2021-47565 – scsi: mpt3sas: Fix kernel panic during drive powercycle test
https://notcve.org/view.php?id=CVE-2021-47565
In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix kernel panic during drive powercycle test While looping over shost's sdev list it is possible that one of the drives is getting removed and its sas_target object is freed but its sdev object remains intact. Consequently, a kernel panic can occur while the driver is trying to access the sas_address field of sas_target object without also checking the sas_target object for NULL. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: mpt3sas: solucionó el pánico del kernel durante la prueba de ciclo de energía de la unidad. Mientras se recorre la lista sdev de shost, es posible que una de las unidades se esté eliminando y su objeto sas_target se libere pero su objeto sdev permanece intacta. En consecuencia, puede ocurrir un pánico en el kernel mientras el controlador intenta acceder al campo sas_address del objeto sas_target sin verificar también si el objeto sas_target es NULL. • https://git.kernel.org/stable/c/f92363d12359498f9a9960511de1a550f0ec41c2 https://git.kernel.org/stable/c/5d4d50b1f159a5ebab7617f47121b4370aa58afe https://git.kernel.org/stable/c/58ef2c7a6de13721865d84b80eecf56d6cba0937 https://git.kernel.org/stable/c/dd035ca0e7a142870a970d46b1d19276cfe2bc8c https://git.kernel.org/stable/c/0d4b29eaadc1f59cec0c7e85eae77d08fcca9824 https://git.kernel.org/stable/c/7e324f734a914957b8cc3ff4b4c9f0409558adb5 https://git.kernel.org/stable/c/2bf9c5a5039c8f4b037236aed505e6a25c1d5f7b https://git.kernel.org/stable/c/8485649a7655e791a6e4e9f15b4d30fda •
CVE-2021-47560 – mlxsw: spectrum: Protect driver from buggy firmware
https://notcve.org/view.php?id=CVE-2021-47560
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum: Protect driver from buggy firmware When processing port up/down events generated by the device's firmware, the driver protects itself from events reported for non-existent local ports, but not the CPU port (local port 0), which exists, but lacks a netdev. This can result in a NULL pointer dereference when calling netif_carrier_{on,off}(). Fix this by bailing early when processing an event reported for the CPU port. Problem was only observed when running on top of a buggy emulator. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mlxsw: espectro: protege el controlador de firmware defectuoso Al procesar eventos de activación/desactivación de puerto generados por el firmware del dispositivo, el controlador se protege de eventos informados para puertos locales inexistentes, pero no el puerto de la CPU (puerto local 0), que existe, pero carece de netdev. Esto puede resultar en una desreferencia del puntero NULL al llamar a netif_carrier_{on,off}(). Solucione este problema cancelando el proceso con antelación al procesar un evento informado para el puerto de la CPU. • https://git.kernel.org/stable/c/28b1987ef5064dd5c43538ba1168ef7b801f3cad https://git.kernel.org/stable/c/90d0736876c50ecde1a3275636a06b9ddb1cace9 https://git.kernel.org/stable/c/da4d70199e5d82da664a80077508d6c18f5e76df https://git.kernel.org/stable/c/63b08b1f6834bbb0b4f7783bf63b80c8c8e9a047 https://access.redhat.com/security/cve/CVE-2021-47560 https://bugzilla.redhat.com/show_bug.cgi?id=2283389 • CWE-476: NULL Pointer Dereference •
CVE-2021-47559 – net/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk()
https://notcve.org/view.php?id=CVE-2021-47559
In the Linux kernel, the following vulnerability has been resolved: net/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk() Coverity reports a possible NULL dereferencing problem: in smc_vlan_by_tcpsk(): 6. returned_null: netdev_lower_get_next returns NULL (checked 29 out of 30 times). 7. var_assigned: Assigning: ndev = NULL return value from netdev_lower_get_next. 1623 ndev = (struct net_device *)netdev_lower_get_next(ndev, &lower); CID 1468509 (#1 of 1): Dereference null return value (NULL_RETURNS) 8. dereference: Dereferencing a pointer that might be NULL ndev when calling is_vlan_dev. 1624 if (is_vlan_dev(ndev)) { Remove the manual implementation and use netdev_walk_all_lower_dev() to iterate over the lower devices. While on it remove an obsolete function parameter comment. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/smc: corrige la desreferenciación del puntero NULL en smc_vlan_by_tcpsk() Coverity informa un posible problema de desreferenciación de NULL: en smc_vlan_by_tcpsk(): 6. return_null: netdev_lower_get_next devuelve NULL (comprobado 29 de 30 veces). 7. var_assigned: Asignación: ndev = valor de retorno NULL de netdev_lower_get_next. 1623 ndev = (struct net_device *)netdev_lower_get_next(ndev, &lower); CID 1468509 (#1 de 1): Desreferenciar valor de retorno nulo (NULL_RETURNS) 8. desreferencia: Desreferenciar un puntero que podría ser NULL ndev al llamar a is_vlan_dev. 1624 if (is_vlan_dev(ndev)) { Elimine la implementación manual y use netdev_walk_all_lower_dev() para iterar sobre los dispositivos inferiores. Mientras esté en él, elimine un comentario de parámetro de función obsoleto. A vulnerability was found in the Linux kernel's SMC implementation in the smc_vlan_by_tcpsk() function. • https://git.kernel.org/stable/c/cb9d43f6775457cac75544bc4197f26ac2b6f294 https://git.kernel.org/stable/c/c94cbd262b6aa3b54d73a1ed1f9c0d19df57f4ff https://git.kernel.org/stable/c/bb851d0fb02547d03cd40106b5f2391c4fed6ed1 https://git.kernel.org/stable/c/587acad41f1bc48e16f42bb2aca63bf323380be8 https://access.redhat.com/security/cve/CVE-2021-47559 https://bugzilla.redhat.com/show_bug.cgi?id=2283390 • CWE-476: NULL Pointer Dereference •
CVE-2021-47555 – net: vlan: fix underflow for the real_dev refcnt
https://notcve.org/view.php?id=CVE-2021-47555
In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix underflow for the real_dev refcnt Inject error before dev_hold(real_dev) in register_vlan_dev(), and execute the following testcase: ip link add dev dummy1 type dummy ip link add name dummy1.100 link dummy1 type vlan id 100 ip link del dev dummy1 When the dummy netdevice is removed, we will get a WARNING as following: ======================================================================= refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 and an endless loop of: ======================================================================= unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824 That is because dev_put(real_dev) in vlan_dev_free() be called without dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev underflow. Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev symmetrical. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: vlan: corrige el desbordamiento insuficiente para real_dev refcnt Inyecte el error antes de dev_hold(real_dev) en Register_vlan_dev() y ejecute el siguiente caso de prueba: ip link add dev dummy1 tipo dummy ip link add nombre dummy1.100 link dummy1 tipo vlan id 100 ip link del dev dummy1 Cuando se elimina el dispositivo de red ficticio, recibiremos una ADVERTENCIA como la siguiente: ===================== ==================================================== = refcount_t: decremento hit 0; pérdida de memoria. • https://git.kernel.org/stable/c/700602b662d7eaa816b1a3cb0abe7a85de358fd4 https://git.kernel.org/stable/c/e04a7a84bb77f9cdf4475340fe931389bc72331c https://git.kernel.org/stable/c/21032425c36ff85f16e72ca92193a8c401e4acd5 https://git.kernel.org/stable/c/fca96b3f852a1b369b7b2844ce357cd689879934 https://git.kernel.org/stable/c/5e44178864b38dd70b877985abd7d86fdb95f27d https://git.kernel.org/stable/c/6e800ee43218a56acc93676bbb3d93b74779e555 https://git.kernel.org/stable/c/f7fc72a508cf115c273a7a29350069def1041890 https://git.kernel.org/stable/c/01d9cc2dea3fde3bad6d27f464eff4634 •