In the Linux kernel, a critical vulnerability has been resolved regarding memory corruption caused by an incorrect length check for kernel tracing. This post explains the exploit details, provides code snippets, and includes links to the original references.

Vulnerability Details

The vulnerability was detected on production environments, leading to severe kernel crashes due to memory corruption. The call trace that appears in the kernel log is as follows:

Call Trace:
[1640542.554277] general protection fault: 000 [#1] SMP PTI
...

James Wang was able to reproduce this issue stably on the latest 4.19 LTS. After some debugging, it was finally proved that the cause of this issue is due to ftrace buffer out-of-bound access. A debug tool output is shown below:

[   86.775200] BUG: Out-of-bounds write at addr xffff88aefe8b700
...

Cause of the vulnerability

commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds a length check to protect trace data overflow introduced in fc1b09ff1ff. However, this fix does not fully prevent overflow, as the length check should also consider the sizeof entry->array[] to account for the additional space occupied by the trace data and the potential risk of overflow.

# Fix

To fix this issue, the length check for kernel tracing must be modified to include the sizeof entry->array[]. This will safeguard against the previously unaddressed risk of overflow and prevent memory corruption.

References

1. Original Commit: b220c049d519 ("tracing: Check length before giving out the filter buffer")
2. Vulnerable Commit: fc1b09ff1ff ("tracing: Add trace event string match filtering")

Exploit Details

The exploit allows an attacker to perform an out-of-bounds write, leading to memory corruption and potential kernel crash or data leak. The vulnerability exists in the tracing subsystem, allowing an attacker who has access to kernel tracing to exploit this issue potentially.

To guard against this vulnerability, ensure that you are running the latest patched version of the Linux kernel that includes the fix for CVE-2021-47274.

In conclusion, it is crucial to be informed about the vulnerability and take appropriate steps to protect your systems from potential attacks exploiting CVE-2021-47274. This includes updating your Linux kernel to the latest patched version and paying attention to any further advisories related to kernel tracing.

Timeline

Published on: 05/21/2024 15:15:15 UTC
Last modified on: 07/03/2024 01:37:32 UTC