{
  "threat_severity" : "Low",
  "public_date" : "2024-05-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: proc/vmcore: fix clearing user buffer by properly using clear_user()",
    "id" : "2283463",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2283463"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-501",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nproc/vmcore: fix clearing user buffer by properly using clear_user()\nTo clear a user buffer we cannot simply use memset, we have to use\nclear_user().  With a virtio-mem device that registers a vmcore_cb and\nhas some logically unplugged memory inside an added Linux memory block,\nI can easily trigger a BUG by copying the vmcore via \"cp\":\nsystemd[1]: Starting Kdump Vmcore Save Service...\nkdump[420]: Kdump is using the default log level(3).\nkdump[453]: saving to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/\nkdump[458]: saving vmcore-dmesg.txt to /sysroot/var/crash/127.0.0.1-2021-11-11-14:59:22/\nkdump[465]: saving vmcore-dmesg.txt complete\nkdump[467]: saving vmcore\nBUG: unable to handle page fault for address: 00007f2374e01000\n#PF: supervisor write access in kernel mode\n#PF: error_code(0x0003) - permissions violation\nPGD 7a523067 P4D 7a523067 PUD 7a528067 PMD 7a525067 PTE 800000007048f867\nOops: 0003 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 468 Comm: cp Not tainted 5.15.0+ #6\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-27-g64f37cc530f1-prebuilt.qemu.org 04/01/2014\nRIP: 0010:read_from_oldmem.part.0.cold+0x1d/0x86\nCode: ff ff ff e8 05 ff fe ff e9 b9 e9 7f ff 48 89 de 48 c7 c7 38 3b 60 82 e8 f1 fe fe ff 83 fd 08 72 3c 49 8d 7d 08 4c 89 e9 89 e8 <49> c7 45 00 00 00 00 00 49 c7 44 05 f8 00 00 00 00 48 83 e7 f81\nRSP: 0018:ffffc9000073be08 EFLAGS: 00010212\nRAX: 0000000000001000 RBX: 00000000002fd000 RCX: 00007f2374e01000\nRDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00007f2374e01008\nRBP: 0000000000001000 R08: 0000000000000000 R09: ffffc9000073bc50\nR10: ffffc9000073bc48 R11: ffffffff829461a8 R12: 000000000000f000\nR13: 00007f2374e01000 R14: 0000000000000000 R15: ffff88807bd421e8\nFS:  00007f2374e12140(0000) GS:ffff88807f000000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2374e01000 CR3: 000000007a4aa000 CR4: 0000000000350eb0\nCall Trace:\nread_vmcore+0x236/0x2c0\nproc_reg_read+0x55/0xa0\nvfs_read+0x95/0x190\nksys_read+0x4f/0xc0\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nSome x86-64 CPUs have a CPU feature called \"Supervisor Mode Access\nPrevention (SMAP)\", which is used to detect wrong access from the kernel\nto user buffers like this: SMAP triggers a permissions violation on\nwrong access.  In the x86-64 variant of clear_user(), SMAP is properly\nhandled via clac()+stac().\nTo fix, properly use clear_user() when we're dealing with a user buffer." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:6993",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.74.1.el8_8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47566\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47566\nhttps://lore.kernel.org/linux-cve-announce/2024052453-CVE-2021-47566-12b8@gregkh/T" ],
  "name" : "CVE-2021-47566",
  "csaw" : false
}