CVE-2021-47214 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: hugetlb, userfaultfd: fix reservation restore on userfaultfd error Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we bail out using "goto out_release_unlock;" in the cases where idx >= size, or !huge_pte_none(), the code will detect that new_pagecache_page == false, and so call restore_reserve_on_error(). In this case I see restore_reserve_on_error() delete the reservation, and the following call to remove_inode_hugepages() will increment h->resv_hugepages causing a 100% reproducible leak. We should treat the is_continue case similar to adding a page into the pagecache and set new_pagecache_page to true, to indicate that there is no reservation to restore on the error path, and we need not call restore_reserve_on_error(). Rename new_pagecache_page to page_in_pagecache to make that clear.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e
https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7
https://lore.kernel.org/linux-cve-announce/2024041005-CVE-2021-47214-59f9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2021-47214
https://www.cve.org/CVERecord?id=CVE-2021-47214

History

Mon, 04 Nov 2024 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-10T19:01:54.543Z

Updated: 2024-12-19T07:37:32.623Z

Reserved: 2024-04-10T18:59:19.528Z

Link: CVE-2021-47214

Vulnrichment

Updated: 2024-08-04T05:32:07.447Z

NVD

Status : Awaiting Analysis

Published: 2024-04-10T19:15:48.680

Modified: 2024-11-21T06:35:38.583

Link: CVE-2021-47214

Redhat

Severity : Moderate

Publid Date: 2024-04-10T00:00:00Z

Links: CVE-2021-47214 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47214", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-04-10T18:59:19.528Z", "datePublished": "2024-04-10T19:01:54.543Z", "dateUpdated": "2024-12-19T07:37:32.623Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T07:37:32.623Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlb, userfaultfd: fix reservation restore on userfaultfd error\n\nCurrently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we\nbail out using \"goto out_release_unlock;\" in the cases where idx >=\nsize, or !huge_pte_none(), the code will detect that new_pagecache_page\n== false, and so call restore_reserve_on_error(). In this case I see\nrestore_reserve_on_error() delete the reservation, and the following\ncall to remove_inode_hugepages() will increment h->resv_hugepages\ncausing a 100% reproducible leak.\n\nWe should treat the is_continue case similar to adding a page into the\npagecache and set new_pagecache_page to true, to indicate that there is\nno reservation to restore on the error path, and we need not call\nrestore_reserve_on_error(). Rename new_pagecache_page to\npage_in_pagecache to make that clear."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/hugetlb.c"], "versions": [{"version": "c7b1850dfb41d0b4154aca8dbc04777fbd75616f", "lessThan": "b5069d44e2fbc4a9093d005b3ef0949add3dd27e", "status": "affected", "versionType": "git"}, {"version": "c7b1850dfb41d0b4154aca8dbc04777fbd75616f", "lessThan": "cc30042df6fcc82ea18acf0dace831503e60a0b7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/hugetlb.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.5", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e"}, {"url": "https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7"}], "title": "hugetlb, userfaultfd: fix reservation restore on userfaultfd error", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-12T16:35:56.915589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:14:20.656Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.447Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.447Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-12T16:35:56.915589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:23.558Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "hugetlb, userfaultfd: fix reservation restore on userfaultfd error", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "c7b1850dfb41", "lessThan": "b5069d44e2fb", "versionType": "git"}, {"status": "affected", "version": "c7b1850dfb41", "lessThan": "cc30042df6fc", "versionType": "git"}], "programFiles": ["mm/hugetlb.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.14"}, {"status": "unaffected", "version": "0", "lessThan": "5.14", "versionType": "semver"}, {"status": "unaffected", "version": "5.15.5", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["mm/hugetlb.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e"}, {"url": "https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlb, userfaultfd: fix reservation restore on userfaultfd error\n\nCurrently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we\nbail out using \"goto out_release_unlock;\" in the cases where idx >=\nsize, or !huge_pte_none(), the code will detect that new_pagecache_page\n== false, and so call restore_reserve_on_error(). In this case I see\nrestore_reserve_on_error() delete the reservation, and the following\ncall to remove_inode_hugepages() will increment h->resv_hugepages\ncausing a 100% reproducible leak.\n\nWe should treat the is_continue case similar to adding a page into the\npagecache and set new_pagecache_page to true, to indicate that there is\nno reservation to restore on the error path, and we need not call\nrestore_reserve_on_error(). Rename new_pagecache_page to\npage_in_pagecache to make that clear."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:01:38.204Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47214", "state": "PUBLISHED", "dateUpdated": "2024-11-04T12:01:38.204Z", "dateReserved": "2024-04-10T18:59:19.528Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-10T19:01:54.543Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlb, userfaultfd: fix reservation restore on userfaultfd error\n\nCurrently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we\nbail out using \"goto out_release_unlock;\" in the cases where idx >=\nsize, or !huge_pte_none(), the code will detect that new_pagecache_page\n== false, and so call restore_reserve_on_error(). In this case I see\nrestore_reserve_on_error() delete the reservation, and the following\ncall to remove_inode_hugepages() will increment h->resv_hugepages\ncausing a 100% reproducible leak.\n\nWe should treat the is_continue case similar to adding a page into the\npagecache and set new_pagecache_page to true, to indicate that there is\nno reservation to restore on the error path, and we need not call\nrestore_reserve_on_error(). Rename new_pagecache_page to\npage_in_pagecache to make that clear."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hugetlb, userfaultfd: se corrige el error de restauraci\u00f3n de reserva en userfaultfd Actualmente, en el caso is_continue en hugetlb_mcopy_atomic_pte(), si salimos usando \"goto out_release_unlock;\" en los casos donde idx >= size, o !huge_pte_none(), el c\u00f3digo detectar\u00e1 que new_pagecache_page == false, y por lo tanto llamar\u00e1 a restore_reserve_on_error(). En este caso, veo que restore_reserve_on_error() elimina la reserva, y la siguiente llamada a remove_inode_hugepages() incrementar\u00e1 h->resv_hugepages causando una fuga 100% reproducible. Deber\u00edamos tratar el caso is_continue de forma similar a agregar una p\u00e1gina al pagecache y establecer new_pagecache_page en true, para indicar que no hay ninguna reserva para restaurar en la ruta del error, y no necesitamos llamar a restore_reserve_on_error(). Cambie el nombre new_pagecache_page a page_in_pagecache para que quede claro."}], "id": "CVE-2021-47214", "lastModified": "2024-11-21T06:35:38.583", "metrics": {}, "published": "2024-04-10T19:15:48.680", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: hugetlb, userfaultfd: fix reservation restore on userfaultfd error", "id": "2274572", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274572"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "status": "draft"}, "cwe": "CWE-402", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nhugetlb, userfaultfd: fix reservation restore on userfaultfd error\nCurrently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we\nbail out using \"goto out_release_unlock;\" in the cases where idx >=\nsize, or !huge_pte_none(), the code will detect that new_pagecache_page\n== false, and so call restore_reserve_on_error(). In this case I see\nrestore_reserve_on_error() delete the reservation, and the following\ncall to remove_inode_hugepages() will increment h->resv_hugepages\ncausing a 100% reproducible leak.\nWe should treat the is_continue case similar to adding a page into the\npagecache and set new_pagecache_page to true, to indicate that there is\nno reservation to restore on the error path, and we need not call\nrestore_reserve_on_error(). Rename new_pagecache_page to\npage_in_pagecache to make that clear.", "A vulnerability was found in the Linux kernel, in the handling of memory reservations in the hugetlb subsystem and userfaultfd. This issue occurs during the error-handling process in the hugetlb_mcopy_atomic_pte() function. When an error is encountered, the system incorrectly calls restore_reserve_on_error(), which improperly removes memory reservations. This leads to a memory leak, as the following call to remove_inode_hugepages() erroneously increments the reserved hugepages counter. This vulnerability was fully resolved by modifying the process to correctly handle the reservation state and avoid unnecessary deletion in the event of an error."], "name": "CVE-2021-47214", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47214\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47214\nhttps://lore.kernel.org/linux-cve-announce/2024041005-CVE-2021-47214-59f9@gregkh/T"], "threat_severity": "Moderate"}