mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
129 lines
8.6 KiB
JSON
129 lines
8.6 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2021-47011",
|
|
"ASSIGNER": "cve@kernel.org",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memcontrol: slab: fix obtain a reference to a freeing memcg\n\nPatch series \"Use obj_cgroup APIs to charge kmem pages\", v5.\n\nSince Roman's series \"The new cgroup slab memory controller\" applied.\nAll slab objects are charged with the new APIs of obj_cgroup. The new\nAPIs introduce a struct obj_cgroup to charge slab objects. It prevents\nlong-living objects from pinning the original memory cgroup in the\nmemory. But there are still some corner objects (e.g. allocations\nlarger than order-1 page on SLUB) which are not charged with the new\nAPIs. Those objects (include the pages which are allocated from buddy\nallocator directly) are charged as kmem pages which still hold a\nreference to the memory cgroup.\n\nE.g. We know that the kernel stack is charged as kmem pages because the\nsize of the kernel stack can be greater than 2 pages (e.g. 16KB on\nx86_64 or arm64). If we create a thread (suppose the thread stack is\ncharged to memory cgroup A) and then move it from memory cgroup A to\nmemory cgroup B. Because the kernel stack of the thread hold a\nreference to the memory cgroup A. The thread can pin the memory cgroup\nA in the memory even if we remove the cgroup A. If we want to see this\nscenario by using the following script. We can see that the system has\nadded 500 dying cgroups (This is not a real world issue, just a script\nto show that the large kmallocs are charged as kmem pages which can pin\nthe memory cgroup in the memory).\n\n\t#!/bin/bash\n\n\tcat /proc/cgroups | grep memory\n\n\tcd /sys/fs/cgroup/memory\n\techo 1 > memory.move_charge_at_immigrate\n\n\tfor i in range{1..500}\n\tdo\n\t\tmkdir kmem_test\n\t\techo $$ > kmem_test/cgroup.procs\n\t\tsleep 3600 &\n\t\techo $$ > cgroup.procs\n\t\techo `cat kmem_test/cgroup.procs` > cgroup.procs\n\t\trmdir kmem_test\n\tdone\n\n\tcat /proc/cgroups | grep memory\n\nThis patchset aims to make those kmem pages to drop the reference to\nmemory cgroup by using the APIs of obj_cgroup. Finally, we can see that\nthe number of the dying cgroups will not increase if we run the above test\nscript.\n\nThis patch (of 7):\n\nThe rcu_read_lock/unlock only can guarantee that the memcg will not be\nfreed, but it cannot guarantee the success of css_get (which is in the\nrefill_stock when cached memcg changed) to memcg.\n\n rcu_read_lock()\n memcg = obj_cgroup_memcg(old)\n __memcg_kmem_uncharge(memcg)\n refill_stock(memcg)\n if (stock->cached != memcg)\n // css_get can change the ref counter from 0 back to 1.\n css_get(&memcg->css)\n rcu_read_unlock()\n\nThis fix is very like the commit:\n\n eefbfa7fd678 (\"mm: memcg/slab: fix use after free in obj_cgroup_charge\")\n\nFix this by holding a reference to the memcg which is passed to the\n__memcg_kmem_uncharge() before calling __memcg_kmem_uncharge()."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "n/a"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Linux",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Linux",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "26f54dac1564",
|
|
"version_value": "31df8bc4d3fe"
|
|
},
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "3de7d4f25a74",
|
|
"version_value": "89b1ed358e01"
|
|
},
|
|
{
|
|
"version_value": "not down converted",
|
|
"x_cve_json_5_version_data": {
|
|
"versions": [
|
|
{
|
|
"version": "5.11",
|
|
"status": "affected"
|
|
},
|
|
{
|
|
"version": "0",
|
|
"lessThan": "5.11",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "5.10.37",
|
|
"lessThanOrEqual": "5.10.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "5.11.21",
|
|
"lessThanOrEqual": "5.11.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "5.12.4",
|
|
"lessThanOrEqual": "5.12.*",
|
|
"status": "unaffected",
|
|
"versionType": "semver"
|
|
},
|
|
{
|
|
"version": "5.13",
|
|
"lessThanOrEqual": "*",
|
|
"status": "unaffected",
|
|
"versionType": "original_commit_for_fix"
|
|
}
|
|
],
|
|
"defaultStatus": "affected"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/31df8bc4d3feca9f9c6b2cd06fd64a111ae1a0e6",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/31df8bc4d3feca9f9c6b2cd06fd64a111ae1a0e6"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/89b1ed358e01e1b0417f5d3b0082359a23355552",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/89b1ed358e01e1b0417f5d3b0082359a23355552"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/c3ae6a3f3ca4f02f6ccddf213c027302586580d0",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/c3ae6a3f3ca4f02f6ccddf213c027302586580d0"
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/9f38f03ae8d5f57371b71aa6b4275765b65454fd",
|
|
"refsource": "MISC",
|
|
"name": "https://git.kernel.org/stable/c/9f38f03ae8d5f57371b71aa6b4275765b65454fd"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "bippy-9e1c9544281a"
|
|
}
|
|
} |