Bug 1195374 – VUL-1: CVE-2021-4218: kernel-source-azure,kernel-source-rt,kernel-source: sysctl parameter read causes kernel panic ( rpcrdma module )

Bug 1195374 - (CVE-2021-4218) VUL-1: CVE-2021-4218: kernel-source-azure,kernel-source-rt,kernel-source: sysctl parameter read causes kernel panic ( rpcrdma module )

(CVE-2021-4218)
Summary:	VUL-1: CVE-2021-4218: kernel-source-azure,kernel-source-rt,kernel-source: sys...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/322272/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-4218:4.4:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-02-01 08:57 UTC by Robert Frohl
Modified:	2022-04-12 13:33 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2022-02-01 08:57:47 UTC

rh#2048359

A flaw was found in the Linux kernels implementation of reading SVC RDMA counters.  Reading the counter sysctl panics the system.  This allows a local attacker with local access ot be able to create a denial of service while the system reboots.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2048359
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4218

Comment 1 Robert Frohl 2022-02-01 09:10:55 UTC

fix seems to be: 32927393dc1ccd60fb2bdc05b9e8e88753761469

Comment 2 Robert Frohl 2022-02-01 10:08:52 UTC

(In reply to Robert Frohl from comment #1)
> fix seems to be: 32927393dc1ccd60fb2bdc05b9e8e88753761469

upstream since v5.9, but already backported by us to all kernels it seems. Could someone confirm this on the kernel side please ?

Comment 3 Takashi Iwai 2022-02-02 10:05:07 UTC

I'm not sure whether it's a problem of redhat kernel or generic in the upstream (i.e. whether we are affected).

It seems that their kernel backported some changes without the suggested fix commit.  (e.g. svcrdma_counter_handler() is used for rdma_stat_read since the commit 1e7e55731628c90d8c701c45f9c3a3b8718840d6 that is in 5.12, while the suggested fix is in 5.9.)

Adding Thomas to Cc.

Comment 4 Thomas Bogendoerfer 2022-02-02 13:23:12 UTC

IMHO this is a redhat kernel problem.

svcrdma_counter_handler() was introduced in upstream kernel with commit

df971cd853c0 svcrdma: Convert rdma_stat_recv to a per-CPU counter (v5.12-rc1)

as a series of changes in net/sunrpc/xprtrdma/svc_rdma.c.

As this is all v5.12 only SLE15-SP4 would be affected. And just to be sure I've tried the test case and I don't see problems on SLE15-SP4.

Comment 5 Takashi Iwai 2022-02-02 13:28:17 UTC

Thanks for confirmation, that's my understanding, too: RH simply forgot to backport the prerequisite fix.  Let's push back, then.

Comment 6 Robert Frohl 2022-04-12 13:33:17 UTC

closing