Bug 1989165 (CVE-2021-3679)

Summary: CVE-2021-3679 kernel: DoS in rb_per_cpu_empty()
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.14-rc3 Doc Type: If docs needed, set a value
Doc Text:
A lack of CPU resources in the Linux kernel tracing module functionality was found in the way users use the trace ring buffer in specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 21:53:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1989166, 1989485, 1989486    
Bug Blocks: 1986380, 1989644    

Description Alex 2021-08-02 14:59:17 UTC 
Vulnerability in tracing module in kernel/trace/ring_buffer.c caused by a bug in rb_per_cpu_empty() that uses a stale value and could cause tracing_read_pipe() to be trapped in an event-polling loop infinitely. 

The victim process (that is trapped) will always be in running state, drain a lot of power and cannot be killed by any UNIX signal (including SIGKILL).
This vulnerability can be exploited merely using bash script, with sufficient privilege to control tracefs (like root or has CAP_SYS_ADMIN capability).

Patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f0d6d9883c13174669f88adac4f0ee656cc16a
Comment 1 Alex 2021-08-02 14:59:49 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1989166]
Comment 6 Justin M. Forbes 2021-08-03 17:47:28 UTC 
This was fixed for Fedora with the 5.13.6 stable kernel updates.
Comment 7 Alex 2021-08-04 10:56:42 UTC 
Patches:
1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f0d6d9883c13174669f88adac4f0ee656cc16a
- this one fixes the bug.
2. https://lore.kernel.org/stable/20210723125633.655004181@goodmis.org/
3. https://lore.kernel.org/stable/20210723125633.840379520@goodmis.org/#t
7. https://lore.kernel.org/stable/20210723125634.584194330@goodmis.org/

, And Steven merged patch (patch #1) with other three patches, ran through his test and submitted to LKML for the next merge window of 5.14-rc2.

The other patches (#2, #3, #7) fixes some other (less important, so no separate CVE) bug and style for other files of tracing module. The patch #1 fixes buggy conditional in rb_per_cpu_empty() and thus prevents deadloop outcome when using the same exploiting method. The combined patch:
https://lore.kernel.org/lkml/20210723125527.767d1c18@oasis.local.home/
Comment 10 errata-xmlrpc 2021-11-09 17:23:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
Comment 11 errata-xmlrpc 2021-11-09 18:27:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356
Comment 12 Product Security DevOps Team 2021-11-09 21:53:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3679