// For flags

CVE-2021-47430

x86/entry: Clear X86_FEATURE_SMAP when CONFIG_X86_SMAP=n

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

x86/entry: Clear X86_FEATURE_SMAP when CONFIG_X86_SMAP=n

Commit

3c73b81a9164 ("x86/entry, selftests: Further improve user entry sanity checks")

added a warning if AC is set when in the kernel.

Commit

662a0221893a3d ("x86/entry: Fix AC assertion")

changed the warning to only fire if the CPU supports SMAP.

However, the warning can still trigger on a machine that supports SMAP
but where it's disabled in the kernel config and when running the
syscall_nt selftest, for example:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 49 at irqentry_enter_from_user_mode
CPU: 0 PID: 49 Comm: init Tainted: G T 5.15.0-rc4+ #98 e6202628ee053b4f310759978284bd8bb0ce6905
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:irqentry_enter_from_user_mode
...
Call Trace:
? irqentry_enter
? exc_general_protection
? asm_exc_general_protection
? asm_exc_general_protectio

IS_ENABLED(CONFIG_X86_SMAP) could be added to the warning condition, but
even this would not be enough in case SMAP is disabled at boot time with
the "nosmap" parameter.

To be consistent with "nosmap" behaviour, clear X86_FEATURE_SMAP when
!CONFIG_X86_SMAP.

Found using entry-fuzz + satrandconfig.

[ bp: Massage commit message. ]

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: x86/entry: borra X86_FEATURE_SMAP cuando CONFIG_X86_SMAP=n confirmación 3c73b81a9164 ("x86/entry, selftests: mejora aún más las comprobaciones de seguridad de entrada del usuario") agregó una advertencia si AC está configurado en el núcleo. La confirmación 662a0221893a3d ("x86/entry: Reparar aserción de AC") cambió la advertencia para que solo se active si la CPU admite SMAP. Sin embargo, la advertencia aún puede activarse en una máquina que admite SMAP pero donde está deshabilitado en la configuración del kernel y cuando se ejecuta la autoprueba syscall_nt, por ejemplo: ------------[ cortar aquí ]--- --------- ADVERTENCIA: CPU: 0 PID: 49 en irqentry_enter_from_user_mode CPU: 0 PID: 49 Comm: init Tainted: GT 5.15.0-rc4+ #98 e6202628ee053b4f310759978284bd8bb0ce6905 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 01/04/2014 RIP: 0010:irqentry_enter_from_user_mode... Seguimiento de llamadas:? irqentry_enter? exc_general_protection? asm_exc_general_protection? Se podría agregar asm_exc_general_protectio IS_ENABLED(CONFIG_X86_SMAP) a la condición de advertencia, pero incluso esto no sería suficiente en caso de que SMAP esté deshabilitado en el momento del arranque con el parámetro "nosmap". Para ser coherente con el comportamiento de "nosmap", borre X86_FEATURE_SMAP cuando !CONFIG_X86_SMAP. Encontrado usando Entry-fuzz + satrandconfig. [pb: mensaje de confirmación de masaje. ]

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-21 CVE Reserved
  • 2024-05-21 CVE Published
  • 2024-05-22 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.8 < 5.10.73
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.8 < 5.10.73"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.8 < 5.14.12
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.8 < 5.14.12"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.8 < 5.15
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.8 < 5.15"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
5.8.8
Search vendor "Linux" for product "Linux Kernel" and version "5.8.8"
en
Affected