admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-29 01:31:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2021/CVE-2021-473xx/CVE-2021-47350.json
cad-safe-bot e6cbafdc40 Auto-Update: 2024-12-08T03:00:18.988682+00:00
2024-12-08 03:06:42 +00:00

84 lines
6.8 KiB
JSON
Raw Blame History

{
"id": "CVE-2021-47350",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:21.483",
"lastModified": "2024-11-21T06:35:56.687",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm: Fix lockup on kernel exec fault\n\nThe powerpc kernel is not prepared to handle exec faults from kernel.\nEspecially, the function is_exec_fault() will return 'false' when an\nexec fault is taken by kernel, because the check is based on reading\ncurrent->thread.regs->trap which contains the trap from user.\n\nFor instance, when provoking a LKDTM EXEC_USERSPACE test,\ncurrent->thread.regs->trap is set to SYSCALL trap (0xc00), and\nthe fault taken by the kernel is not seen as an exec fault by\nset_access_flags_filter().\n\nCommit d7df2443cd5f (\"powerpc/mm: Fix spurious segfaults on radix\nwith autonuma\") made it clear and handled it properly. But later on\ncommit d3ca587404b3 (\"powerpc/mm: Fix reporting of kernel execute\nfaults\") removed that handling, introducing test based on error_code.\nAnd here is the problem, because on the 603 all upper bits of SRR1\nget cleared when the TLB instruction miss handler bails out to ISI.\n\nUntil commit cbd7e6ca0210 (\"powerpc/fault: Avoid heavy\nsearch_exception_tables() verification\"), an exec fault from kernel\nat a userspace address was indirectly caught by the lack of entry for\nthat address in the exception tables. But after that commit the\nkernel mainly relies on KUAP or on core mm handling to catch wrong\nuser accesses. Here the access is not wrong, so mm handles it.\nIt is a minor fault because PAGE_EXEC is not set,\nset_access_flags_filter() should set PAGE_EXEC and voila.\nBut as is_exec_fault() returns false as explained in the beginning,\nset_access_flags_filter() bails out without setting PAGE_EXEC flag,\nwhich leads to a forever minor exec fault.\n\nAs the kernel is not prepared to handle such exec faults, the thing to\ndo is to fire in bad_kernel_fault() for any exec fault taken by the\nkernel, as it was prior to commit d3ca587404b3."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: powerpc/mm: corrige el bloqueo en el fallo de ejecuci\u00f3n del kernel. El kernel de powerpc no est\u00e1 preparado para manejar fallos de ejecuci\u00f3n del kernel. Especialmente, la funci\u00f3n is_exec_fault() devolver\u00e1 'false' cuando el kernel tome un fallo de ejecuci\u00f3n, porque la verificaci\u00f3n se basa en la lectura de current->thread.regs->trap que contiene la trampa del usuario. Por ejemplo, al provocar una prueba LKDTM EXEC_USERSPACE, current->thread.regs->trap se establece en SYSCALL trap (0xc00), y set_access_flags_filter() no ve el error cometido por el kernel como un error de ejecuci\u00f3n. La confirmaci\u00f3n d7df2443cd5f (\"powerpc/mm: corregir errores de segmentaci\u00f3n falsos en radix con autonuma\") lo dej\u00f3 claro y lo manej\u00f3 correctamente. Pero m\u00e1s tarde, la confirmaci\u00f3n d3ca587404b3 (\"powerpc/mm: corregir informes de fallas de ejecuci\u00f3n del kernel\") elimin\u00f3 ese manejo, introduciendo una prueba basada en error_code. Y aqu\u00ed est\u00e1 el problema, porque en el 603 todos los bits superiores de SRR1 se borran cuando el controlador de errores de instrucci\u00f3n TLB sale a ISI. Hasta la confirmaci\u00f3n cbd7e6ca0210 (\"powerpc/fault: Evite la verificaci\u00f3n pesada de search_exception_tables()\"), un fallo de ejecuci\u00f3n del kernel en una direcci\u00f3n de espacio de usuario se detectaba indirectamente por la falta de entrada para esa direcci\u00f3n en las tablas de excepci\u00f3n. Pero despu\u00e9s de esa confirmaci\u00f3n, el kernel depende principalmente de KUAP o del manejo de mm del n\u00facleo para detectar accesos de usuarios incorrectos. Aqu\u00ed el acceso no es incorrecto, por lo que mm lo maneja. Es un fallo menor porque PAGE_EXEC no est\u00e1 configurada, set_access_flags_filter() deber\u00eda configurar PAGE_EXEC y listo. Pero como is_exec_fault() devuelve false como se explic\u00f3 al principio, set_access_flags_filter() sale sin configurar el indicador PAGE_EXEC, lo que conduce a un fallo de ejecuci\u00f3n menor para siempre. Como el kernel no est\u00e1 preparado para manejar tales fallos de ejecuci\u00f3n, lo que hay que hacer es activar bad_kernel_fault() para cualquier fallo de ejecuci\u00f3n tomado por el kernel, como estaba antes de la confirmaci\u00f3n d3ca587404b3."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"references": [
{
"url": "https://git.kernel.org/stable/c/500f81cec9f1bfa5210aa9dd5ba9a06e22f62a35",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8a96ec5ebf96ad8e2ba7b1b34103a0be5140fc70",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a82471a14aad90f79d1608d2bcbb019f0ffb53f0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cd5d5e602f502895e47e18cd46804d6d7014e65c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d2e52d4664097a6c1f591d869ec594bd7a0d4925",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/500f81cec9f1bfa5210aa9dd5ba9a06e22f62a35",
"source": "af854a3a-2127-422b-91ae-364da2661108"
},
{
"url": "https://git.kernel.org/stable/c/8a96ec5ebf96ad8e2ba7b1b34103a0be5140fc70",
"source": "af854a3a-2127-422b-91ae-364da2661108"
},
{
"url": "https://git.kernel.org/stable/c/a82471a14aad90f79d1608d2bcbb019f0ffb53f0",
"source": "af854a3a-2127-422b-91ae-364da2661108"
},
{
"url": "https://git.kernel.org/stable/c/cd5d5e602f502895e47e18cd46804d6d7014e65c",
"source": "af854a3a-2127-422b-91ae-364da2661108"
},
{
"url": "https://git.kernel.org/stable/c/d2e52d4664097a6c1f591d869ec594bd7a0d4925",
"source": "af854a3a-2127-422b-91ae-364da2661108"
}
]
}
Reference in New Issue View Git Blame Copy Permalink