CVE-2021-47034: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [<c000000000bf8e5c>] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T ---truncated---
AI Analysis
Technical Summary
CVE-2021-47034 is a medium-severity vulnerability in the Linux kernel specifically affecting the PowerPC 64-bit architecture with radix MMU (Memory Management Unit) implementations. The flaw arises from improper synchronization when updating page table entries (PTEs) for kernel memory. In the radix MMU, when a PTE is added or updated, a ptesync instruction is required to ensure proper ordering of the update with subsequent memory accesses. This synchronization prevents spurious faults. However, the function radix__set_pte_at() omits this ptesync for performance reasons. While this omission is generally safe for non-kernel memory because faults are handled by the page fault handler, kernel memory faults are not handled, leading to potential kernel crashes. The vulnerability is particularly problematic during dynamic code patching operations such as those performed by ftrace, which modifies kernel code at runtime. The function map_kernel_page() does not call flush_cache_vmap(), which contains the necessary ptesync, causing a race condition between setting up the PTE and writing to the page. This can trigger kernel faults and crashes, as demonstrated by reproducible scenarios involving rapid toggling of ftrace tracing modes. The issue manifests as kernel oops or BUG messages related to kernel data access faults. This vulnerability affects Linux kernel versions prior to the patch that adds the required synchronization, primarily on PowerPC 64s radix MMU systems. The CVSS score is 4.4 (medium), reflecting the local access vector, low attack complexity, requirement for high privileges, no user interaction, and impact limited to availability (kernel crashes). There are no known exploits in the wild, and the vulnerability does not affect confidentiality or integrity directly but can cause denial of service through kernel panics.
Potential Impact
For European organizations running Linux on PowerPC 64-bit systems with radix MMU, this vulnerability can lead to unexpected kernel crashes and system instability. This is particularly relevant for enterprises and research institutions using specialized hardware or embedded systems based on PowerPC architecture. The impact is primarily denial of service, which can disrupt critical services, cause downtime, and affect operational continuity. Since the vulnerability requires high privileges to exploit, it is less likely to be leveraged remotely but could be triggered by malicious or faulty privileged code, including kernel modules or debugging tools like ftrace. Organizations relying on dynamic kernel tracing or live patching on affected architectures are at higher risk. The lack of confidentiality or integrity impact reduces the risk of data breaches, but availability disruptions in critical infrastructure or industrial control systems could have significant operational and economic consequences.
Mitigation Recommendations
To mitigate CVE-2021-47034, affected organizations should promptly apply the official Linux kernel patches that add the necessary ptesync synchronization when updating kernel memory PTEs on PowerPC radix MMU systems. Specifically, ensure that kernel versions include the fix for radix__set_pte_at() and that map_kernel_page() calls flush_cache_vmap() as required. Avoid running untrusted or experimental kernel modules and minimize dynamic code patching operations until patches are applied. For systems using ftrace or similar tracing tools, limit their use or apply patches that address this issue to prevent triggering kernel faults. Additionally, implement robust monitoring to detect kernel oops or crashes indicative of this vulnerability. For environments where patching is delayed, consider isolating affected systems or restricting privileged access to reduce the risk of exploitation. Regularly update kernel versions and subscribe to Linux kernel security advisories to stay informed about related fixes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2021-47034: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [<c000000000bf8e5c>] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-47034 is a medium-severity vulnerability in the Linux kernel specifically affecting the PowerPC 64-bit architecture with radix MMU (Memory Management Unit) implementations. The flaw arises from improper synchronization when updating page table entries (PTEs) for kernel memory. In the radix MMU, when a PTE is added or updated, a ptesync instruction is required to ensure proper ordering of the update with subsequent memory accesses. This synchronization prevents spurious faults. However, the function radix__set_pte_at() omits this ptesync for performance reasons. While this omission is generally safe for non-kernel memory because faults are handled by the page fault handler, kernel memory faults are not handled, leading to potential kernel crashes. The vulnerability is particularly problematic during dynamic code patching operations such as those performed by ftrace, which modifies kernel code at runtime. The function map_kernel_page() does not call flush_cache_vmap(), which contains the necessary ptesync, causing a race condition between setting up the PTE and writing to the page. This can trigger kernel faults and crashes, as demonstrated by reproducible scenarios involving rapid toggling of ftrace tracing modes. The issue manifests as kernel oops or BUG messages related to kernel data access faults. This vulnerability affects Linux kernel versions prior to the patch that adds the required synchronization, primarily on PowerPC 64s radix MMU systems. The CVSS score is 4.4 (medium), reflecting the local access vector, low attack complexity, requirement for high privileges, no user interaction, and impact limited to availability (kernel crashes). There are no known exploits in the wild, and the vulnerability does not affect confidentiality or integrity directly but can cause denial of service through kernel panics.
Potential Impact
For European organizations running Linux on PowerPC 64-bit systems with radix MMU, this vulnerability can lead to unexpected kernel crashes and system instability. This is particularly relevant for enterprises and research institutions using specialized hardware or embedded systems based on PowerPC architecture. The impact is primarily denial of service, which can disrupt critical services, cause downtime, and affect operational continuity. Since the vulnerability requires high privileges to exploit, it is less likely to be leveraged remotely but could be triggered by malicious or faulty privileged code, including kernel modules or debugging tools like ftrace. Organizations relying on dynamic kernel tracing or live patching on affected architectures are at higher risk. The lack of confidentiality or integrity impact reduces the risk of data breaches, but availability disruptions in critical infrastructure or industrial control systems could have significant operational and economic consequences.
Mitigation Recommendations
To mitigate CVE-2021-47034, affected organizations should promptly apply the official Linux kernel patches that add the necessary ptesync synchronization when updating kernel memory PTEs on PowerPC radix MMU systems. Specifically, ensure that kernel versions include the fix for radix__set_pte_at() and that map_kernel_page() calls flush_cache_vmap() as required. Avoid running untrusted or experimental kernel modules and minimize dynamic code patching operations until patches are applied. For systems using ftrace or similar tracing tools, limit their use or apply patches that address this issue to prevent triggering kernel faults. Additionally, implement robust monitoring to detect kernel oops or crashes indicative of this vulnerability. For environments where patching is delayed, consider isolating affected systems or restricting privileged access to reduce the risk of exploitation. Regularly update kernel versions and subscribe to Linux kernel security advisories to stay informed about related fixes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.964Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9b08
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 7:54:32 PM
Last updated: 8/17/2025, 6:05:34 PM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.