CVE-2021-47618: Vulnerability in Linux Linux

Severity: mediumType: vulnerabilityCVE-2021-47618

In the Linux kernel, the following vulnerability has been resolved: ARM: 9170/1: fix panic when kasan and kprobe are enabled arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic. the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files. for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: <cap_capable>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ; ebfc7bf8 bl c03aa4b4 <__asan_load4> e595706c ldr r7, [r5, #108] ; 0x6c e2859014 add r9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 <emulate_ldr>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <__asan_load4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc <emulate_ldr+0x38> e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <__asan_load4> e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 <__asan_load4> e2890010 add r0, r9, #16 ebf35458 bl c03c6530 <__asan_load4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 <emulate_ldr+0xac> e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ...... when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)

AI Analysis

Technical Summary

CVE-2021-47618 is a vulnerability identified in the Linux kernel specifically affecting ARM 32-bit architectures when both Kernel Address Sanitizer (KASAN) and kprobe debugging features are enabled simultaneously. The issue arises because arm32 uses software simulation to replace instructions intercepted by kprobe, which involves constructing assembly functions and binding registers in C to simulate instruction execution. When KASAN is enabled, it alters the register binding relationships, causing the instruction simulation to malfunction. This leads to errors during the simulation of instructions such as 'ldr' (load register), resulting in kernel panics due to NULL pointer dereferences. The vulnerability manifests as a kernel panic triggered by the failure in the emulate_ldr function, which attempts to simulate the 'ldr' instruction but encounters corrupted register states caused by KASAN's interference. The kernel panic logs show an inability to handle a NULL pointer dereference at a specific virtual address, with the panic occurring during the execution of cap_capable, a kernel function related to capability checks. The root cause is that KASAN's instrumentation disrupts the register bindings required for correct instruction simulation by kprobe, leading to invalid memory accesses and system crashes. The fix involves disabling KASAN when compiling the kprobe emulate instruction functions (actions-common.c, actions-arm.c, actions-thumb.c) to prevent the register binding destruction and subsequent kernel panic. This vulnerability is specific to ARM 32-bit Linux kernels with both KASAN and kprobe enabled, and it does not affect other architectures or configurations without these features enabled together. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

Potential Impact

For European organizations, the impact of CVE-2021-47618 primarily concerns systems running ARM 32-bit Linux kernels with both KASAN and kprobe enabled. Such configurations are typically found in development, debugging, or specialized embedded environments rather than general production servers. However, organizations involved in embedded systems, IoT devices, or ARM-based development platforms could experience system instability or denial of service due to kernel panics triggered by this vulnerability. The kernel panic results in abrupt system crashes, potentially causing service interruptions, data loss, and operational downtime. In critical infrastructure or industrial control systems using ARM 32-bit Linux kernels, this could lead to significant disruptions. Since the vulnerability requires specific kernel features enabled simultaneously, the attack surface is limited, but the inability to handle kernel panics gracefully can affect system reliability and availability. European organizations relying on ARM-based Linux devices for edge computing, telecommunications, or industrial applications should be aware of this issue. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or intentional triggering of kernel panics, impacting system stability and availability.

Mitigation Recommendations

To mitigate CVE-2021-47618, European organizations should: 1) Audit their ARM 32-bit Linux kernel deployments to identify systems with both KASAN and kprobe enabled, focusing on development and embedded environments. 2) Apply the official Linux kernel patches that disable KASAN when compiling the kprobe emulate instruction functions (actions-common.c, actions-arm.c, actions-thumb.c) to prevent register binding corruption. 3) If patching is not immediately feasible, consider disabling either KASAN or kprobe on affected systems to avoid the conflicting interaction causing kernel panics. 4) Implement robust monitoring and alerting for kernel panics and system crashes on ARM 32-bit devices to detect potential exploitation or accidental triggers promptly. 5) For embedded and IoT devices, coordinate with vendors to ensure firmware updates include the fix or disable conflicting features. 6) Conduct thorough testing of kernel updates in staging environments to verify stability before deployment in production. 7) Educate development and operations teams about the risk of enabling both KASAN and kprobe simultaneously on ARM 32-bit kernels to prevent misconfiguration. These targeted actions go beyond generic advice by focusing on the specific kernel features and compilation settings involved in this vulnerability.