Bug 1193983 – VUL-0: CVE-2021-4148: kernel-source-rt, kernel-source, kernel-source-azure: Improper implementation of block_invalidatepage() allows users to crash the kernel

Bug 1193983 - (CVE-2021-4148) VUL-0: CVE-2021-4148: kernel-source-rt, kernel-source, kernel-source-azure: Improper implementation of block_invalidatepage() allows users to crash the kernel

(CVE-2021-4148)
Summary:	VUL-0: CVE-2021-4148: kernel-source-rt, kernel-source, kernel-source-azure: I...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/318526/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-4148:6.2:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-12-22 08:11 UTC by Thomas Leroy
Modified:	2023-01-18 17:20 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2021-12-22 08:11:48 UTC

rh#2026487

In the Linux kernel before 5.15, improper implementation of block_invalidatepage() allows users to crash the kernel. As long as the page passed to block_invalidatepage() is a huge page and the length is the size of the huge page instead of a single page due to read-only FS THP support, the operation would throw BUG if the size is greater than a single page. Furthermore, all the implementations that are *NOT* THP aware and hardcoded PAGE_SIZE can trigger BUG(), like block_invalidatepage().

References:

https://lkml.org/lkml/2021/9/17/1037
https://lkml.org/lkml/2021/9/12/323

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2026487
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4148

Comment 1 Thomas Leroy 2021-12-22 08:12:27 UTC

The patch doesn't seem to be applied upstream yet.

Comment 2 Thomas Leroy 2021-12-22 08:28:50 UTC

Buggy commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb6ecbed0aa2

Without upstream patch, the following branches would be affected:
- SLE15-SP4
- stable

Comment 4 Vlastimil Babka 2022-03-14 15:32:45 UTC

(In reply to Thomas Leroy from comment #1)
> The patch doesn't seem to be applied upstream yet.

Looks like it was ultimately fixed by a4aeaa06d45e ("mm: khugepaged: skip huge page collapse for special files")
We have the commit in 15-SP4 already. It's also in stable. So we are fine.

Comment 5 Borislav Petkov 2022-03-20 11:56:03 UTC

Cool, thanks. I've added the CVE number to the 15sp4 patch. Bouncing back to sec team.

Comment 6 Gianluca Gabrielli 2022-03-21 10:17:43 UTC

Thank you, closing.