CVE-2021-47566: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: proc/vmcore: fix clearing user buffer by properly using clear_user() To clear a user buffer we cannot simply use memset, we have to use clear_user(). With a virtio-mem device that registers a vmcore_cb and has some logically unplugged memory inside an added Linux memory block, I can easily trigger a BUG by copying the vmcore via "cp": systemd[1]: Starting Kdump Vmcore Save Service... kdump[420]: Kdump is using the default log level(3). kdump[453]: saving to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[458]: saving vmcore-dmesg.txt to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[465]: saving vmcore-dmesg.txt complete kdump[467]: saving vmcore BUG: unable to handle page fault for address: 00007f2374e01000 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867 Oops: 0003 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 468 Comm: cp Not tainted 5.15.0+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_from_oldmem.part.0.cold+0x1d/0x86 Code: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 c7 44 05 f8 00 00 00 00 48 83 e7 f81 RSP: 0018:ffffc9000073be08 EFLAGS: 00010212 RAX: 0000000000001000 RBX: 00000000002fd000 RCX: 00007f2374e01000 RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00007f2374e01008 RBP: 0000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50 R10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000 R13: 00007f2374e01000 R14: 0000000000000000 R15: ffff88807bd421e8 FS: 00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0 Call Trace: read_vmcore+0x236/0x2c0 proc_reg_read+0x55/0xa0 vfs_read+0x95/0x190 ksys_read+0x4f/0xc0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Some x86-64 CPUs have a CPU feature called "Supervisor Mode Access Prevention (SMAP)", which is used to detect wrong access from the kernel to user buffers like this: SMAP triggers a permissions violation on wrong access. In the x86-64 variant of clear_user(), SMAP is properly handled via clac()+stac(). To fix, properly use clear_user() when we're dealing with a user buffer.
AI Analysis
Technical Summary
CVE-2021-47566 is a vulnerability identified in the Linux kernel related to improper handling of user buffers during the vmcore dump process. Specifically, the issue arises in the proc/vmcore interface where the kernel code incorrectly uses memset to clear user-space buffers instead of the appropriate clear_user() function. This improper clearing leads to a kernel BUG triggered by a page fault when copying vmcore data, particularly in environments using virtio-mem devices with logically unplugged memory blocks. The root cause is that memset does not respect the Supervisor Mode Access Prevention (SMAP) CPU feature on x86-64 architectures, which is designed to prevent the kernel from accessing user-space memory incorrectly. The clear_user() function properly handles SMAP by temporarily disabling it during the memory clearing operation using clac() and stac() instructions. The vulnerability manifests as a kernel panic or oops due to a permissions violation (#PF error) when the kernel attempts to write to a user buffer without proper SMAP handling. This can cause system instability or crashes during vmcore dump operations, which are typically used for kernel crash analysis and debugging. The vulnerability affects Linux kernel versions identified by the commit hash 997c136f518c5debd63847e78e2a8694f56dcf90 and was published on May 24, 2024. No known exploits are currently reported in the wild. The issue is technical and specific to kernel memory management and debugging subsystems, requiring privileged access to trigger during vmcore operations.
Potential Impact
For European organizations, the impact of CVE-2021-47566 primarily concerns system stability and reliability rather than direct data compromise. Organizations running Linux servers or virtualized environments that utilize vmcore dumps for crash analysis may experience unexpected kernel panics or system crashes when the vulnerability is triggered. This can lead to downtime, loss of diagnostic data, and increased operational costs due to system recovery efforts. Critical infrastructure, cloud service providers, and enterprises relying on Linux-based systems for virtualization or memory management could face disruptions. Although the vulnerability does not directly allow privilege escalation or remote code execution, the resulting kernel crashes could be exploited in complex attack chains to cause denial of service or interfere with forensic investigations. The lack of known exploits reduces immediate risk, but the vulnerability highlights the importance of proper kernel memory handling to maintain system integrity. Organizations with compliance requirements for system availability and incident response may find this vulnerability relevant to their risk management strategies.
Mitigation Recommendations
To mitigate CVE-2021-47566, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, ensuring the kernel version includes the fix replacing memset with clear_user() in the proc/vmcore code path. 2) Review and test vmcore dump configurations, especially in environments using virtio-mem devices or similar memory virtualization technologies, to confirm stability post-patch. 3) Implement monitoring for kernel oops or panic events related to vmcore operations to detect any attempts to trigger the vulnerability. 4) Limit access to privileged operations that can initiate vmcore dumps to trusted administrators to reduce the risk of accidental or malicious triggering. 5) Incorporate kernel crash dump handling into incident response plans, ensuring rapid recovery and forensic data preservation in case of crashes. 6) For organizations using customized or older kernels, consider backporting the patch or upgrading to supported kernel versions to maintain security and stability. These steps go beyond generic advice by focusing on the specific subsystem and operational context of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy
CVE-2021-47566: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: proc/vmcore: fix clearing user buffer by properly using clear_user() To clear a user buffer we cannot simply use memset, we have to use clear_user(). With a virtio-mem device that registers a vmcore_cb and has some logically unplugged memory inside an added Linux memory block, I can easily trigger a BUG by copying the vmcore via "cp": systemd[1]: Starting Kdump Vmcore Save Service... kdump[420]: Kdump is using the default log level(3). kdump[453]: saving to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[458]: saving vmcore-dmesg.txt to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/ kdump[465]: saving vmcore-dmesg.txt complete kdump[467]: saving vmcore BUG: unable to handle page fault for address: 00007f2374e01000 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867 Oops: 0003 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 468 Comm: cp Not tainted 5.15.0+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_from_oldmem.part.0.cold+0x1d/0x86 Code: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 c7 44 05 f8 00 00 00 00 48 83 e7 f81 RSP: 0018:ffffc9000073be08 EFLAGS: 00010212 RAX: 0000000000001000 RBX: 00000000002fd000 RCX: 00007f2374e01000 RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00007f2374e01008 RBP: 0000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50 R10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000 R13: 00007f2374e01000 R14: 0000000000000000 R15: ffff88807bd421e8 FS: 00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0 Call Trace: read_vmcore+0x236/0x2c0 proc_reg_read+0x55/0xa0 vfs_read+0x95/0x190 ksys_read+0x4f/0xc0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Some x86-64 CPUs have a CPU feature called "Supervisor Mode Access Prevention (SMAP)", which is used to detect wrong access from the kernel to user buffers like this: SMAP triggers a permissions violation on wrong access. In the x86-64 variant of clear_user(), SMAP is properly handled via clac()+stac(). To fix, properly use clear_user() when we're dealing with a user buffer.
AI-Powered Analysis
Technical Analysis
CVE-2021-47566 is a vulnerability identified in the Linux kernel related to improper handling of user buffers during the vmcore dump process. Specifically, the issue arises in the proc/vmcore interface where the kernel code incorrectly uses memset to clear user-space buffers instead of the appropriate clear_user() function. This improper clearing leads to a kernel BUG triggered by a page fault when copying vmcore data, particularly in environments using virtio-mem devices with logically unplugged memory blocks. The root cause is that memset does not respect the Supervisor Mode Access Prevention (SMAP) CPU feature on x86-64 architectures, which is designed to prevent the kernel from accessing user-space memory incorrectly. The clear_user() function properly handles SMAP by temporarily disabling it during the memory clearing operation using clac() and stac() instructions. The vulnerability manifests as a kernel panic or oops due to a permissions violation (#PF error) when the kernel attempts to write to a user buffer without proper SMAP handling. This can cause system instability or crashes during vmcore dump operations, which are typically used for kernel crash analysis and debugging. The vulnerability affects Linux kernel versions identified by the commit hash 997c136f518c5debd63847e78e2a8694f56dcf90 and was published on May 24, 2024. No known exploits are currently reported in the wild. The issue is technical and specific to kernel memory management and debugging subsystems, requiring privileged access to trigger during vmcore operations.
Potential Impact
For European organizations, the impact of CVE-2021-47566 primarily concerns system stability and reliability rather than direct data compromise. Organizations running Linux servers or virtualized environments that utilize vmcore dumps for crash analysis may experience unexpected kernel panics or system crashes when the vulnerability is triggered. This can lead to downtime, loss of diagnostic data, and increased operational costs due to system recovery efforts. Critical infrastructure, cloud service providers, and enterprises relying on Linux-based systems for virtualization or memory management could face disruptions. Although the vulnerability does not directly allow privilege escalation or remote code execution, the resulting kernel crashes could be exploited in complex attack chains to cause denial of service or interfere with forensic investigations. The lack of known exploits reduces immediate risk, but the vulnerability highlights the importance of proper kernel memory handling to maintain system integrity. Organizations with compliance requirements for system availability and incident response may find this vulnerability relevant to their risk management strategies.
Mitigation Recommendations
To mitigate CVE-2021-47566, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability, ensuring the kernel version includes the fix replacing memset with clear_user() in the proc/vmcore code path. 2) Review and test vmcore dump configurations, especially in environments using virtio-mem devices or similar memory virtualization technologies, to confirm stability post-patch. 3) Implement monitoring for kernel oops or panic events related to vmcore operations to detect any attempts to trigger the vulnerability. 4) Limit access to privileged operations that can initiate vmcore dumps to trusted administrators to reduce the risk of accidental or malicious triggering. 5) Incorporate kernel crash dump handling into incident response plans, ensuring rapid recovery and forensic data preservation in case of crashes. 6) For organizations using customized or older kernels, consider backporting the patch or upgrading to supported kernel versions to maintain security and stability. These steps go beyond generic advice by focusing on the specific subsystem and operational context of the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.728Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe94b6
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:42:35 PM
Last updated: 8/12/2025, 8:27:11 AM
Views: 14
Related Threats
CVE-2025-9104: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9102: Improper Export of Android Application Components in 1&1 Mail & Media mail.com App
MediumCVE-2025-9101: Cross Site Scripting in zhenfeng13 My-Blog
MediumCVE-2025-9100: Authentication Bypass by Capture-replay in zhenfeng13 My-Blog
MediumCVE-2025-9099: Unrestricted Upload in Acrel Environmental Monitoring Cloud Platform
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.