CVE-2021-46957: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe The execution of sys_read end up hitting a BUG_ON() in __find_get_block after installing kprobe at sys_read, the BUG message like the following: [ 65.708663] ------------[ cut here ]------------ [ 65.709987] kernel BUG at fs/buffer.c:1251! [ 65.711283] Kernel BUG [#1] [ 65.712032] Modules linked in: [ 65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1 [ 65.714407] Hardware name: riscv-virtio,qemu (DT) [ 65.715696] epc : __find_get_block+0x218/0x2c8 [ 65.716835] ra : __getblk_gfp+0x1c/0x4a [ 65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930 [ 65.719553] gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038 [ 65.721290] t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960 [ 65.723051] s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a [ 65.724772] a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040 [ 65.726545] a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000 [ 65.728308] s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008 [ 65.730049] s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8 [ 65.731802] s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008 [ 65.733516] s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f [ 65.734434] t5 : 00000000000003ff t6 : 0000000000040000 [ 65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 65.734901] Call Trace: [ 65.735076] [<ffffffe00019f11e>] __find_get_block+0x218/0x2c8 [ 65.735417] [<ffffffe00020017a>] __ext4_get_inode_loc+0xb2/0x2f6 [ 65.735618] [<ffffffe000201b6c>] ext4_get_inode_loc+0x3a/0x8a [ 65.735802] [<ffffffe000203380>] ext4_reserve_inode_write+0x2e/0x8c [ 65.735999] [<ffffffe00020357a>] __ext4_mark_inode_dirty+0x4c/0x18e [ 65.736208] [<ffffffe000206bb0>] ext4_dirty_inode+0x46/0x66 [ 65.736387] [<ffffffe000192914>] __mark_inode_dirty+0x12c/0x3da [ 65.736576] [<ffffffe000180dd2>] touch_atime+0x146/0x150 [ 65.736748] [<ffffffe00010d762>] filemap_read+0x234/0x246 [ 65.736920] [<ffffffe00010d834>] generic_file_read_iter+0xc0/0x114 [ 65.737114] [<ffffffe0001f5d7a>] ext4_file_read_iter+0x42/0xea [ 65.737310] [<ffffffe000163f2c>] new_sync_read+0xe2/0x15a [ 65.737483] [<ffffffe000165814>] vfs_read+0xca/0xf2 [ 65.737641] [<ffffffe000165bae>] ksys_read+0x5e/0xc8 [ 65.737816] [<ffffffe000165c26>] sys_read+0xe/0x16 [ 65.737973] [<ffffffe000003972>] ret_from_syscall+0x0/0x2 [ 65.738858] ---[ end trace fe93f985456c935d ]--- A simple reproducer looks like: echo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events echo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable cat /sys/kernel/debug/tracing/trace Here's what happens to hit that BUG_ON(): 1) After installing kprobe at entry of sys_read, the first instruction is replaced by 'ebreak' instruction on riscv64 platform. 2) Once kernel reach the 'ebreak' instruction at the entry of sys_read, it trap into the riscv breakpoint handler, where it do something to setup for coming single-step of origin instruction, including backup the 'sstatus' in pt_regs, followed by disable interrupt during single stepping via clear 'SIE' bit of 'sstatus' in pt_regs. 3) Then kernel restore to the instruction slot contains two instructions, one is original instruction at entry of sys_read, the other is 'ebreak'. Here it trigger a 'Instruction page fault' exception (value at 'scause' is '0xc'), if PF is not filled into PageTabe for that slot yet. 4) Again kernel trap into page fault exception handler, where it choose different policy according to the state of running kprobe. Because afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kp ---truncated---
AI Analysis
Technical Summary
CVE-2021-46957 is a medium-severity vulnerability in the Linux kernel specifically affecting the RISC-V architecture's kprobe implementation. The issue arises when a kprobe is installed on the sys_read system call. Kprobes are a Linux kernel debugging mechanism that allows dynamic tracing by inserting probes into kernel code. On RISC-V platforms, installing a kprobe at the entry point of sys_read replaces the first instruction with an 'ebreak' instruction to trigger a breakpoint. When sys_read is invoked, the kernel traps into the breakpoint handler and prepares for single-stepping the original instruction, including backing up processor status and disabling interrupts. However, when the kernel attempts to restore the instruction slot containing both the original instruction and the 'ebreak', it may trigger an instruction page fault if the page table entry is not properly populated. The page fault handler then attempts to handle this condition based on the kprobe state. Due to improper handling in this scenario, the kernel eventually hits a BUG_ON() assertion in the __find_get_block function within the ext4 filesystem code, causing a kernel panic. This vulnerability leads to a denial of service (DoS) condition by crashing the kernel when sys_read is traced via kprobe on affected RISC-V Linux kernels. The issue does not impact confidentiality or integrity but results in availability loss. Exploitation requires local privileges to install kprobes and does not require user interaction. The vulnerability was fixed in Linux kernel versions after 5.12-rc4, and the CVSS 3.1 base score is 5.5 (medium severity) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact.
Potential Impact
For European organizations, the primary impact of CVE-2021-46957 is the potential for local denial of service on Linux systems running on RISC-V architecture. While RISC-V adoption in Europe is currently limited compared to x86 and ARM, it is growing in embedded systems, IoT devices, and specialized computing environments. Organizations using RISC-V Linux systems for critical infrastructure, industrial control, or embedded applications could face service disruptions if an attacker with local access exploits this vulnerability. The kernel panic could cause system crashes, requiring reboots and potentially leading to downtime or loss of availability for critical services. Since exploitation requires local privileges, the threat is mainly from malicious insiders or attackers who have already compromised a system. The vulnerability does not allow privilege escalation or data compromise but can be leveraged as part of a multi-stage attack to disrupt operations. European entities with RISC-V development or deployment, such as research institutions, telecom providers, or manufacturers, should be particularly aware of this risk. The lack of known exploits in the wild reduces immediate risk but patching is important to prevent future exploitation.
Mitigation Recommendations
1. Update Linux kernels on RISC-V systems to versions including the fix for CVE-2021-46957, ideally 5.12.0-rc5 or later stable releases where the patch is applied. 2. Restrict local access to RISC-V Linux systems to trusted users only, minimizing the risk of unauthorized kprobe installation. 3. Monitor kernel logs for unusual kprobe activity or kernel panics related to __find_get_block or ext4 filesystem errors. 4. For embedded or IoT devices using RISC-V Linux, ensure secure boot and firmware integrity to prevent unauthorized kernel modifications. 5. Implement strict privilege separation and auditing to detect and prevent misuse of debugging features like kprobes. 6. Coordinate with hardware and OS vendors to receive timely security updates and advisories for RISC-V platforms. 7. Consider disabling kprobe functionality if not required in production environments to reduce attack surface. 8. Test kernel updates in staging environments to confirm stability and absence of regressions before deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2021-46957: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe The execution of sys_read end up hitting a BUG_ON() in __find_get_block after installing kprobe at sys_read, the BUG message like the following: [ 65.708663] ------------[ cut here ]------------ [ 65.709987] kernel BUG at fs/buffer.c:1251! [ 65.711283] Kernel BUG [#1] [ 65.712032] Modules linked in: [ 65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1 [ 65.714407] Hardware name: riscv-virtio,qemu (DT) [ 65.715696] epc : __find_get_block+0x218/0x2c8 [ 65.716835] ra : __getblk_gfp+0x1c/0x4a [ 65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930 [ 65.719553] gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038 [ 65.721290] t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960 [ 65.723051] s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a [ 65.724772] a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040 [ 65.726545] a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000 [ 65.728308] s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008 [ 65.730049] s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8 [ 65.731802] s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008 [ 65.733516] s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f [ 65.734434] t5 : 00000000000003ff t6 : 0000000000040000 [ 65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 65.734901] Call Trace: [ 65.735076] [<ffffffe00019f11e>] __find_get_block+0x218/0x2c8 [ 65.735417] [<ffffffe00020017a>] __ext4_get_inode_loc+0xb2/0x2f6 [ 65.735618] [<ffffffe000201b6c>] ext4_get_inode_loc+0x3a/0x8a [ 65.735802] [<ffffffe000203380>] ext4_reserve_inode_write+0x2e/0x8c [ 65.735999] [<ffffffe00020357a>] __ext4_mark_inode_dirty+0x4c/0x18e [ 65.736208] [<ffffffe000206bb0>] ext4_dirty_inode+0x46/0x66 [ 65.736387] [<ffffffe000192914>] __mark_inode_dirty+0x12c/0x3da [ 65.736576] [<ffffffe000180dd2>] touch_atime+0x146/0x150 [ 65.736748] [<ffffffe00010d762>] filemap_read+0x234/0x246 [ 65.736920] [<ffffffe00010d834>] generic_file_read_iter+0xc0/0x114 [ 65.737114] [<ffffffe0001f5d7a>] ext4_file_read_iter+0x42/0xea [ 65.737310] [<ffffffe000163f2c>] new_sync_read+0xe2/0x15a [ 65.737483] [<ffffffe000165814>] vfs_read+0xca/0xf2 [ 65.737641] [<ffffffe000165bae>] ksys_read+0x5e/0xc8 [ 65.737816] [<ffffffe000165c26>] sys_read+0xe/0x16 [ 65.737973] [<ffffffe000003972>] ret_from_syscall+0x0/0x2 [ 65.738858] ---[ end trace fe93f985456c935d ]--- A simple reproducer looks like: echo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events echo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable cat /sys/kernel/debug/tracing/trace Here's what happens to hit that BUG_ON(): 1) After installing kprobe at entry of sys_read, the first instruction is replaced by 'ebreak' instruction on riscv64 platform. 2) Once kernel reach the 'ebreak' instruction at the entry of sys_read, it trap into the riscv breakpoint handler, where it do something to setup for coming single-step of origin instruction, including backup the 'sstatus' in pt_regs, followed by disable interrupt during single stepping via clear 'SIE' bit of 'sstatus' in pt_regs. 3) Then kernel restore to the instruction slot contains two instructions, one is original instruction at entry of sys_read, the other is 'ebreak'. Here it trigger a 'Instruction page fault' exception (value at 'scause' is '0xc'), if PF is not filled into PageTabe for that slot yet. 4) Again kernel trap into page fault exception handler, where it choose different policy according to the state of running kprobe. Because afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kp ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-46957 is a medium-severity vulnerability in the Linux kernel specifically affecting the RISC-V architecture's kprobe implementation. The issue arises when a kprobe is installed on the sys_read system call. Kprobes are a Linux kernel debugging mechanism that allows dynamic tracing by inserting probes into kernel code. On RISC-V platforms, installing a kprobe at the entry point of sys_read replaces the first instruction with an 'ebreak' instruction to trigger a breakpoint. When sys_read is invoked, the kernel traps into the breakpoint handler and prepares for single-stepping the original instruction, including backing up processor status and disabling interrupts. However, when the kernel attempts to restore the instruction slot containing both the original instruction and the 'ebreak', it may trigger an instruction page fault if the page table entry is not properly populated. The page fault handler then attempts to handle this condition based on the kprobe state. Due to improper handling in this scenario, the kernel eventually hits a BUG_ON() assertion in the __find_get_block function within the ext4 filesystem code, causing a kernel panic. This vulnerability leads to a denial of service (DoS) condition by crashing the kernel when sys_read is traced via kprobe on affected RISC-V Linux kernels. The issue does not impact confidentiality or integrity but results in availability loss. Exploitation requires local privileges to install kprobes and does not require user interaction. The vulnerability was fixed in Linux kernel versions after 5.12-rc4, and the CVSS 3.1 base score is 5.5 (medium severity) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact.
Potential Impact
For European organizations, the primary impact of CVE-2021-46957 is the potential for local denial of service on Linux systems running on RISC-V architecture. While RISC-V adoption in Europe is currently limited compared to x86 and ARM, it is growing in embedded systems, IoT devices, and specialized computing environments. Organizations using RISC-V Linux systems for critical infrastructure, industrial control, or embedded applications could face service disruptions if an attacker with local access exploits this vulnerability. The kernel panic could cause system crashes, requiring reboots and potentially leading to downtime or loss of availability for critical services. Since exploitation requires local privileges, the threat is mainly from malicious insiders or attackers who have already compromised a system. The vulnerability does not allow privilege escalation or data compromise but can be leveraged as part of a multi-stage attack to disrupt operations. European entities with RISC-V development or deployment, such as research institutions, telecom providers, or manufacturers, should be particularly aware of this risk. The lack of known exploits in the wild reduces immediate risk but patching is important to prevent future exploitation.
Mitigation Recommendations
1. Update Linux kernels on RISC-V systems to versions including the fix for CVE-2021-46957, ideally 5.12.0-rc5 or later stable releases where the patch is applied. 2. Restrict local access to RISC-V Linux systems to trusted users only, minimizing the risk of unauthorized kprobe installation. 3. Monitor kernel logs for unusual kprobe activity or kernel panics related to __find_get_block or ext4 filesystem errors. 4. For embedded or IoT devices using RISC-V Linux, ensure secure boot and firmware integrity to prevent unauthorized kernel modifications. 5. Implement strict privilege separation and auditing to detect and prevent misuse of debugging features like kprobes. 6. Coordinate with hardware and OS vendors to receive timely security updates and advisories for RISC-V platforms. 7. Consider disabling kprobe functionality if not required in production environments to reduce attack surface. 8. Test kernel updates in staging environments to confirm stability and absence of regressions before deployment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.937Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe98cb
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:09:52 PM
Last updated: 7/26/2025, 1:57:19 AM
Views: 13
Related Threats
CVE-2025-55012: CWE-288: Authentication Bypass Using an Alternate Path or Channel in zed-industries zed
HighCVE-2025-8854: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in bulletphysics bullet3
HighCVE-2025-8830: OS Command Injection in Linksys RE6250
MediumCVE-2025-54878: CWE-122: Heap-based Buffer Overflow in nasa CryptoLib
HighCVE-2025-40920: CWE-340 Generation of Predictable Numbers or Identifiers in ETHER Catalyst::Authentication::Credential::HTTP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.