Bugzilla – Bug 1195374
VUL-1: CVE-2021-4218: kernel-source-azure,kernel-source-rt,kernel-source: sysctl parameter read causes kernel panic ( rpcrdma module )
Last modified: 2022-04-12 13:33:17 UTC
A flaw was found in the Linux kernels implementation of reading SVC RDMA counters. Reading the counter sysctl panics the system. This allows a local attacker with local access ot be able to create a denial of service while the system reboots.
fix seems to be: 32927393dc1ccd60fb2bdc05b9e8e88753761469
(In reply to Robert Frohl from comment #1)
> fix seems to be: 32927393dc1ccd60fb2bdc05b9e8e88753761469
upstream since v5.9, but already backported by us to all kernels it seems. Could someone confirm this on the kernel side please ?
I'm not sure whether it's a problem of redhat kernel or generic in the upstream (i.e. whether we are affected).
It seems that their kernel backported some changes without the suggested fix commit. (e.g. svcrdma_counter_handler() is used for rdma_stat_read since the commit 1e7e55731628c90d8c701c45f9c3a3b8718840d6 that is in 5.12, while the suggested fix is in 5.9.)
Adding Thomas to Cc.
IMHO this is a redhat kernel problem.
svcrdma_counter_handler() was introduced in upstream kernel with commit
df971cd853c0 svcrdma: Convert rdma_stat_recv to a per-CPU counter (v5.12-rc1)
as a series of changes in net/sunrpc/xprtrdma/svc_rdma.c.
As this is all v5.12 only SLE15-SP4 would be affected. And just to be sure I've tried the test case and I don't see problems on SLE15-SP4.
Thanks for confirmation, that's my understanding, too: RH simply forgot to backport the prerequisite fix. Let's push back, then.