{ "threat_severity" : "Moderate", "public_date" : "2024-05-24T00:00:00Z", "bugzilla" : { "description" : "kernel: tcp: fix page frag corruption on page fault", "id" : "2283406", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2283406" }, "cvss3" : { "cvss3_base_score" : "6.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-119", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntcp: fix page frag corruption on page fault\nSteffen reported a TCP stream corruption for HTTP requests\nserved by the apache web-server using a cifs mount-point\nand memory mapping the relevant file.\nThe root cause is quite similar to the one addressed by\ncommit 20eb4f29b602 (\"net: fix sk_page_frag() recursion from\nmemory reclaim\"). Here the nested access to the task page frag\nis caused by a page fault on the (mmapped) user-space memory\nbuffer coming from the cifs file.\nThe page fault handler performs an smb transaction on a different\nsocket, inside the same process context. Since sk->sk_allaction\nfor such socket does not prevent the usage for the task_frag,\nthe nested allocation modify \"under the hood\" the page frag\nin use by the outer sendmsg call, corrupting the stream.\nThe overall relevant stack trace looks like the following:\nhttpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked:\nffffffff91461d91 tcp_sendmsg_locked+0x1\nffffffff91462b57 tcp_sendmsg+0x27\nffffffff9139814e sock_sendmsg+0x3e\nffffffffc06dfe1d smb_send_kvec+0x28\n[...]\nffffffffc06cfaf8 cifs_readpages+0x213\nffffffff90e83c4b read_pages+0x6b\nffffffff90e83f31 __do_page_cache_readahead+0x1c1\nffffffff90e79e98 filemap_fault+0x788\nffffffff90eb0458 __do_fault+0x38\nffffffff90eb5280 do_fault+0x1a0\nffffffff90eb7c84 __handle_mm_fault+0x4d4\nffffffff90eb8093 handle_mm_fault+0xc3\nffffffff90c74f6d __do_page_fault+0x1ed\nffffffff90c75277 do_page_fault+0x37\nffffffff9160111e page_fault+0x1e\nffffffff9109e7b5 copyin+0x25\nffffffff9109eb40 _copy_from_iter_full+0xe0\nffffffff91462370 tcp_sendmsg_locked+0x5e0\nffffffff91462370 tcp_sendmsg_locked+0x5e0\nffffffff91462b57 tcp_sendmsg+0x27\nffffffff9139815c sock_sendmsg+0x4c\nffffffff913981f7 sock_write_iter+0x97\nffffffff90f2cc56 do_iter_readv_writev+0x156\nffffffff90f2dff0 do_iter_write+0x80\nffffffff90f2e1c3 vfs_writev+0xa3\nffffffff90f2e27c do_writev+0x5c\nffffffff90c042bb do_syscall_64+0x5b\nffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65\nThe cifs filesystem rightfully sets sk_allocations to GFP_NOFS,\nwe can avoid the nesting using the sk page frag for allocation\nlacking the __GFP_FS flag. Do not define an additional mm-helper\nfor that, as this is strictly tied to the sk page frag usage.\nv1 -> v2:\n- use a stricted sk_page_frag() check instead of reordering the\ncode (Eric)", "A vulnerability was found in the Linux kernel's TCP subsystem in the tcp_sendmsg_locked() function, which can lead to page fragment corruption during a page fault, which occurs when a TCP stream experiences nested access to the task page fragment due to a page fault while handling memory-mapped user-space data from a CIFS mount." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-05-10T00:00:00Z", "advisory" : "RHSA-2022:1975", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-05-10T00:00:00Z", "advisory" : "RHSA-2022:1988", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-372.9.1.el8" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2023-01-24T00:00:00Z", "advisory" : "RHSA-2023:0395", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.98.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date" : "2023-01-24T00:00:00Z", "advisory" : "RHSA-2023:0395", "cpe" : "cpe:/o:redhat:rhel_tus:8.2", "package" : "kernel-0:4.18.0-193.98.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date" : "2023-01-24T00:00:00Z", "advisory" : "RHSA-2023:0395", "cpe" : "cpe:/o:redhat:rhel_e4s:8.2", "package" : "kernel-0:4.18.0-193.98.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date" : "2022-03-08T00:00:00Z", "advisory" : "RHSA-2022:0777", "cpe" : "cpe:/o:redhat:rhel_eus:8.4", "package" : "kernel-0:4.18.0-305.40.1.el8_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47544\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47544\nhttps://lore.kernel.org/linux-cve-announce/2024052440-CVE-2021-47544-ceb5@gregkh/T" ], "name" : "CVE-2021-47544", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }