CVE-2021-47034 (GCVE-0-2021-47034)

Vulnerability from cvelistv5 – Published: 2024-02-28 08:13 – Updated: 2025-05-04 07:02
VLAI?
Title
powerpc/64s: Fix pte update for kernel memory on radix
Summary
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [<c000000000bf8e5c>] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T ---truncated---
Severity ?
4.4 (Medium)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: f1cb8f9beba8699dd1b4518418191499e53f7b17 , < b3d5d0983388d6c4fb35f7d722556d5595f167a7 (git)
Affected: f1cb8f9beba8699dd1b4518418191499e53f7b17 , < 73f9dccb29e4f82574bec2765c0090cdb0404301 (git)
Affected: f1cb8f9beba8699dd1b4518418191499e53f7b17 , < 84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f (git)
Affected: f1cb8f9beba8699dd1b4518418191499e53f7b17 , < 01ac203e2119d8922126886ddea309fb676f955f (git)
Affected: f1cb8f9beba8699dd1b4518418191499e53f7b17 , < e40c52ee67b155ad59f59e73ea136d02685f0e0d (git)
Affected: f1cb8f9beba8699dd1b4518418191499e53f7b17 , < b8b2f37cf632434456182e9002d63cbc4cccc50c (git)
Create a notification for this product.
    Linux Linux Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 4.19.191 , ≤ 4.19.* (semver)
Unaffected: 5.4.119 , ≤ 5.4.* (semver)
Unaffected: 5.10.37 , ≤ 5.10.* (semver)
Unaffected: 5.11.21 , ≤ 5.11.* (semver)
Unaffected: 5.12.4 , ≤ 5.12.* (semver)
Unaffected: 5.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-47034",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-28T18:29:52.641252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-31T14:23:24.951Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:24:39.854Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b3d5d0983388d6c4fb35f7d722556d5595f167a7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/73f9dccb29e4f82574bec2765c0090cdb0404301"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/01ac203e2119d8922126886ddea309fb676f955f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e40c52ee67b155ad59f59e73ea136d02685f0e0d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b8b2f37cf632434456182e9002d63cbc4cccc50c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/include/asm/book3s/64/radix.h",
            "arch/powerpc/mm/book3s64/radix_pgtable.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b3d5d0983388d6c4fb35f7d722556d5595f167a7",
              "status": "affected",
              "version": "f1cb8f9beba8699dd1b4518418191499e53f7b17",
              "versionType": "git"
            },
            {
              "lessThan": "73f9dccb29e4f82574bec2765c0090cdb0404301",
              "status": "affected",
              "version": "f1cb8f9beba8699dd1b4518418191499e53f7b17",
              "versionType": "git"
            },
            {
              "lessThan": "84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f",
              "status": "affected",
              "version": "f1cb8f9beba8699dd1b4518418191499e53f7b17",
              "versionType": "git"
            },
            {
              "lessThan": "01ac203e2119d8922126886ddea309fb676f955f",
              "status": "affected",
              "version": "f1cb8f9beba8699dd1b4518418191499e53f7b17",
              "versionType": "git"
            },
            {
              "lessThan": "e40c52ee67b155ad59f59e73ea136d02685f0e0d",
              "status": "affected",
              "version": "f1cb8f9beba8699dd1b4518418191499e53f7b17",
              "versionType": "git"
            },
            {
              "lessThan": "b8b2f37cf632434456182e9002d63cbc4cccc50c",
              "status": "affected",
              "version": "f1cb8f9beba8699dd1b4518418191499e53f7b17",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/include/asm/book3s/64/radix.h",
            "arch/powerpc/mm/book3s64/radix_pgtable.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.191",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.11.*",
              "status": "unaffected",
              "version": "5.11.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.191",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.119",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.37",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.11.21",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12.4",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix pte update for kernel memory on radix\n\nWhen adding a PTE a ptesync is needed to order the update of the PTE\nwith subsequent accesses otherwise a spurious fault may be raised.\n\nradix__set_pte_at() does not do this for performance gains. For\nnon-kernel memory this is not an issue as any faults of this kind are\ncorrected by the page fault handler. For kernel memory these faults\nare not handled. The current solution is that there is a ptesync in\nflush_cache_vmap() which should be called when mapping from the\nvmalloc region.\n\nHowever, map_kernel_page() does not call flush_cache_vmap(). This is\ntroublesome in particular for code patching with Strict RWX on radix.\nIn do_patch_instruction() the page frame that contains the instruction\nto be patched is mapped and then immediately patched. With no ordering\nor synchronization between setting up the PTE and writing to the page\nit is possible for faults.\n\nAs the code patching is done using __put_user_asm_goto() the resulting\nfault is obscured - but using a normal store instead it can be seen:\n\n  BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c\n  Faulting instruction address: 0xc00000000008bd74\n  Oops: Kernel access of bad area, sig: 11 [#1]\n  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n  Modules linked in: nop_module(PO+) [last unloaded: nop_module]\n  CPU: 4 PID: 757 Comm: sh Tainted: P           O      5.10.0-rc5-01361-ge3c1b78c8440-dirty #43\n  NIP:  c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810\n  REGS: c000000016f634a0 TRAP: 0300   Tainted: P           O       (5.10.0-rc5-01361-ge3c1b78c8440-dirty)\n  MSR:  9000000000009033 \u003cSF,HV,EE,ME,IR,DR,RI,LE\u003e  CR: 44002884  XER: 00000000\n  CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1\n\nThis results in the kind of issue reported here:\n  https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/\n\nChris Riedl suggested a reliable way to reproduce the issue:\n  $ mount -t debugfs none /sys/kernel/debug\n  $ (while true; do echo function \u003e /sys/kernel/debug/tracing/current_tracer ; echo nop \u003e /sys/kernel/debug/tracing/current_tracer ; done) \u0026\n\nTurning ftrace on and off does a large amount of code patching which\nin usually less then 5min will crash giving a trace like:\n\n   ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000)\n   ------------[ ftrace bug ]------------\n   ftrace failed to modify\n   [\u003cc000000000bf8e5c\u003e] napi_busy_loop+0xc/0x390\n    actual:   11:3b:47:4b\n   Setting ftrace call site to call ftrace function\n   ftrace record flags: 80000001\n    (1)\n    expected tramp: c00000000006c96c\n   ------------[ cut here ]------------\n   WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8\n   Modules linked in: nop_module(PO-) [last unloaded: nop_module]\n   CPU: 4 PID: 809 Comm: sh Tainted: P           O      5.10.0-rc5-01360-gf878ccaf250a #1\n   NIP:  c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0\n   REGS: c000000004c8b760 TRAP: 0700   Tainted: P           O       (5.10.0-rc5-01360-gf878ccaf250a)\n   MSR:  900000000282b033 \u003cSF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e  CR: 28008848  XER: 20040000\n   CFAR: c0000000001a9c98 IRQMASK: 0\n   GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022\n   GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8\n   GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118\n   GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000\n   GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008\n   GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8\n   GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020\n   GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0\n   NIP ftrace_bug+0x28c/0x2e8\n   LR  ftrace_bug+0x288/0x2e8\n   Call T\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:02:43.356Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b3d5d0983388d6c4fb35f7d722556d5595f167a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/73f9dccb29e4f82574bec2765c0090cdb0404301"
        },
        {
          "url": "https://git.kernel.org/stable/c/84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f"
        },
        {
          "url": "https://git.kernel.org/stable/c/01ac203e2119d8922126886ddea309fb676f955f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e40c52ee67b155ad59f59e73ea136d02685f0e0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8b2f37cf632434456182e9002d63cbc4cccc50c"
        }
      ],
      "title": "powerpc/64s: Fix pte update for kernel memory on radix",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47034",
    "datePublished": "2024-02-28T08:13:42.720Z",
    "dateReserved": "2024-02-27T18:42:55.964Z",
    "dateUpdated": "2025-05-04T07:02:43.356Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/b3d5d0983388d6c4fb35f7d722556d5595f167a7\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/73f9dccb29e4f82574bec2765c0090cdb0404301\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/01ac203e2119d8922126886ddea309fb676f955f\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/e40c52ee67b155ad59f59e73ea136d02685f0e0d\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/b8b2f37cf632434456182e9002d63cbc4cccc50c\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:24:39.854Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47034\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-28T18:29:52.641252Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-noinfo Not enough information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:13.579Z\"}}], \"cna\": {\"title\": \"powerpc/64s: Fix pte update for kernel memory on radix\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"f1cb8f9beba8699dd1b4518418191499e53f7b17\", \"lessThan\": \"b3d5d0983388d6c4fb35f7d722556d5595f167a7\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f1cb8f9beba8699dd1b4518418191499e53f7b17\", \"lessThan\": \"73f9dccb29e4f82574bec2765c0090cdb0404301\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f1cb8f9beba8699dd1b4518418191499e53f7b17\", \"lessThan\": \"84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f1cb8f9beba8699dd1b4518418191499e53f7b17\", \"lessThan\": \"01ac203e2119d8922126886ddea309fb676f955f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f1cb8f9beba8699dd1b4518418191499e53f7b17\", \"lessThan\": \"e40c52ee67b155ad59f59e73ea136d02685f0e0d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f1cb8f9beba8699dd1b4518418191499e53f7b17\", \"lessThan\": \"b8b2f37cf632434456182e9002d63cbc4cccc50c\", \"versionType\": \"git\"}], \"programFiles\": [\"arch/powerpc/include/asm/book3s/64/radix.h\", \"arch/powerpc/mm/book3s64/radix_pgtable.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.18\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.18\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.191\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.119\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.37\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.11.21\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.11.*\"}, {\"status\": \"unaffected\", \"version\": \"5.12.4\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.12.*\"}, {\"status\": \"unaffected\", \"version\": \"5.13\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"arch/powerpc/include/asm/book3s/64/radix.h\", \"arch/powerpc/mm/book3s64/radix_pgtable.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/b3d5d0983388d6c4fb35f7d722556d5595f167a7\"}, {\"url\": \"https://git.kernel.org/stable/c/73f9dccb29e4f82574bec2765c0090cdb0404301\"}, {\"url\": \"https://git.kernel.org/stable/c/84c0762633f2a7ac8399e6b97d3b9bb8e6e1d50f\"}, {\"url\": \"https://git.kernel.org/stable/c/01ac203e2119d8922126886ddea309fb676f955f\"}, {\"url\": \"https://git.kernel.org/stable/c/e40c52ee67b155ad59f59e73ea136d02685f0e0d\"}, {\"url\": \"https://git.kernel.org/stable/c/b8b2f37cf632434456182e9002d63cbc4cccc50c\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\npowerpc/64s: Fix pte update for kernel memory on radix\\n\\nWhen adding a PTE a ptesync is needed to order the update of the PTE\\nwith subsequent accesses otherwise a spurious fault may be raised.\\n\\nradix__set_pte_at() does not do this for performance gains. For\\nnon-kernel memory this is not an issue as any faults of this kind are\\ncorrected by the page fault handler. For kernel memory these faults\\nare not handled. The current solution is that there is a ptesync in\\nflush_cache_vmap() which should be called when mapping from the\\nvmalloc region.\\n\\nHowever, map_kernel_page() does not call flush_cache_vmap(). This is\\ntroublesome in particular for code patching with Strict RWX on radix.\\nIn do_patch_instruction() the page frame that contains the instruction\\nto be patched is mapped and then immediately patched. With no ordering\\nor synchronization between setting up the PTE and writing to the page\\nit is possible for faults.\\n\\nAs the code patching is done using __put_user_asm_goto() the resulting\\nfault is obscured - but using a normal store instead it can be seen:\\n\\n  BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c\\n  Faulting instruction address: 0xc00000000008bd74\\n  Oops: Kernel access of bad area, sig: 11 [#1]\\n  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\\n  Modules linked in: nop_module(PO+) [last unloaded: nop_module]\\n  CPU: 4 PID: 757 Comm: sh Tainted: P           O      5.10.0-rc5-01361-ge3c1b78c8440-dirty #43\\n  NIP:  c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810\\n  REGS: c000000016f634a0 TRAP: 0300   Tainted: P           O       (5.10.0-rc5-01361-ge3c1b78c8440-dirty)\\n  MSR:  9000000000009033 \u003cSF,HV,EE,ME,IR,DR,RI,LE\u003e  CR: 44002884  XER: 00000000\\n  CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1\\n\\nThis results in the kind of issue reported here:\\n  https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/\\n\\nChris Riedl suggested a reliable way to reproduce the issue:\\n  $ mount -t debugfs none /sys/kernel/debug\\n  $ (while true; do echo function \u003e /sys/kernel/debug/tracing/current_tracer ; echo nop \u003e /sys/kernel/debug/tracing/current_tracer ; done) \u0026\\n\\nTurning ftrace on and off does a large amount of code patching which\\nin usually less then 5min will crash giving a trace like:\\n\\n   ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000)\\n   ------------[ ftrace bug ]------------\\n   ftrace failed to modify\\n   [\u003cc000000000bf8e5c\u003e] napi_busy_loop+0xc/0x390\\n    actual:   11:3b:47:4b\\n   Setting ftrace call site to call ftrace function\\n   ftrace record flags: 80000001\\n    (1)\\n    expected tramp: c00000000006c96c\\n   ------------[ cut here ]------------\\n   WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8\\n   Modules linked in: nop_module(PO-) [last unloaded: nop_module]\\n   CPU: 4 PID: 809 Comm: sh Tainted: P           O      5.10.0-rc5-01360-gf878ccaf250a #1\\n   NIP:  c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0\\n   REGS: c000000004c8b760 TRAP: 0700   Tainted: P           O       (5.10.0-rc5-01360-gf878ccaf250a)\\n   MSR:  900000000282b033 \u003cSF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e  CR: 28008848  XER: 20040000\\n   CFAR: c0000000001a9c98 IRQMASK: 0\\n   GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022\\n   GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8\\n   GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118\\n   GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000\\n   GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008\\n   GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8\\n   GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020\\n   GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0\\n   NIP ftrace_bug+0x28c/0x2e8\\n   LR  ftrace_bug+0x288/0x2e8\\n   Call T\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.191\", \"versionStartIncluding\": \"4.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.119\", \"versionStartIncluding\": \"4.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.37\", \"versionStartIncluding\": \"4.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.11.21\", \"versionStartIncluding\": \"4.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.12.4\", \"versionStartIncluding\": \"4.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.13\", \"versionStartIncluding\": \"4.18\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T07:02:43.356Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47034\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T07:02:43.356Z\", \"dateReserved\": \"2024-02-27T18:42:55.964Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-28T08:13:42.720Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.