Bug 1195374 - (CVE-2021-4218) VUL-1: CVE-2021-4218: kernel-source-azure,kernel-source-rt,kernel-source: sysctl parameter read causes kernel panic ( rpcrdma module )
(CVE-2021-4218)
VUL-1: CVE-2021-4218: kernel-source-azure,kernel-source-rt,kernel-source: sys...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/322272/
CVSSv3.1:SUSE:CVE-2021-4218:4.4:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-01 08:57 UTC by Robert Frohl
Modified: 2022-04-12 13:33 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-02-01 08:57:47 UTC
rh#2048359

A flaw was found in the Linux kernels implementation of reading SVC RDMA counters.  Reading the counter sysctl panics the system.  This allows a local attacker with local access ot be able to create a denial of service while the system reboots.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2048359
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4218
Comment 1 Robert Frohl 2022-02-01 09:10:55 UTC
fix seems to be: 32927393dc1ccd60fb2bdc05b9e8e88753761469
Comment 2 Robert Frohl 2022-02-01 10:08:52 UTC
(In reply to Robert Frohl from comment #1)
> fix seems to be: 32927393dc1ccd60fb2bdc05b9e8e88753761469

upstream since v5.9, but already backported by us to all kernels it seems. Could someone confirm this on the kernel side please ?
Comment 3 Takashi Iwai 2022-02-02 10:05:07 UTC
I'm not sure whether it's a problem of redhat kernel or generic in the upstream (i.e. whether we are affected).

It seems that their kernel backported some changes without the suggested fix commit.  (e.g. svcrdma_counter_handler() is used for rdma_stat_read since the commit 1e7e55731628c90d8c701c45f9c3a3b8718840d6 that is in 5.12, while the suggested fix is in 5.9.)

Adding Thomas to Cc.
Comment 4 Thomas Bogendoerfer 2022-02-02 13:23:12 UTC
IMHO this is a redhat kernel problem.

svcrdma_counter_handler() was introduced in upstream kernel with commit

df971cd853c0 svcrdma: Convert rdma_stat_recv to a per-CPU counter (v5.12-rc1)

as a series of changes in net/sunrpc/xprtrdma/svc_rdma.c.

As this is all v5.12 only SLE15-SP4 would be affected. And just to be sure I've tried the test case and I don't see problems on SLE15-SP4.
Comment 5 Takashi Iwai 2022-02-02 13:28:17 UTC
Thanks for confirmation, that's my understanding, too: RH simply forgot to backport the prerequisite fix.  Let's push back, then.
Comment 6 Robert Frohl 2022-04-12 13:33:17 UTC
closing