CVE-2021-47640
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Fix early region not updated correctly The shadow's page table is not updated when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. It not only causes false positives but also false negative as shown the following text. Fix it by bringing the logic of kasan_early_shadow_page_entry here. 1. False Positive: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50 Write of size 16 at addr f57f3be0 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1 Call Trace: [c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable) [c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300 [c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200 [c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0 [c80d1cc0] [c03018a4] memset+0x34/0x90 [c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50 [c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570 [c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0 [c80d1db0] [c2036580] init_sd+0xc4/0x1d0 [c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c [c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384 [c80d1ef0] [c0004b14] kernel_init+0x24/0x170 [c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64 Memory state around the buggy address: f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== 2. False Negative (with KASAN tests): ================================================================== Before fix: ok 45 - kmalloc_double_kzfree # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039 KASAN failure expected in "((volatile char *)area)[3100]", but none occurred not ok 46 - vmalloc_oob not ok 1 - kasan ================================================================== After fix: ok 1 - kasan
Security Summary
CVE-2021-47640 is a vulnerability in the Linux kernel's powerpc/kasan component, where the shadow page table is not correctly updated during early boot when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. This issue affects Kernel Address Sanitizer (KASAN) functionality on powerpc architectures, leading to both false positives and false negatives in memory error detection. False positives trigger erroneous KASAN reports, such as out-of-bounds writes during per-CPU allocator initialization (e.g., in pcpu_alloc), potentially causing kernel BUG panics. False negatives fail to detect actual out-of-bounds accesses, as demonstrated in KASAN tests like vmalloc_oob.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability, achieving high impacts on confidentiality, integrity, and availability (CVSS 3.1 score of 7.8, CWE-787: Out-of-bounds Write). On affected powerpc systems with KASAN enabled, an attacker could leverage false negatives to bypass memory safety checks, enabling undetected memory corruption, or induce false positives to trigger denial-of-service via kernel crashes during early initialization tasks like slab cache creation.
Mitigation requires applying upstream kernel patches from stable repositories, such as commits 5a3d8f3192a409893c57808cc935e16484df1068, 7f19245c3647afea8c7c41f795506ef70f64b9f2, dd75080aa8409ce10d50fb58981c6b59bf8707d3, de56beace6648065d404cd9835aa7d30e3df519d, and e3d157a4b4f4e0268c98be5b7013bf4b31234bb6. These fixes align the early shadow page entry logic with corrected KASAN handling, resolving both false positive reports and test failures. Security practitioners should prioritize updating powerpc kernels with KASAN in production environments.
Details
- CWE(s)