Bug 2025726 (CVE-2021-4002)

Summary: CVE-2021-4002 kernel: possible leak or coruption of data residing on hugetlbfs
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, allarkin, aquini, bdettelb, bhu, blc, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, mvanderw, nmurray, ptalbert, qzhao, rvrbovsk, security-response-team, steved, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.16 rc3 Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 12:45:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2026376, 2026377, 2026378, 2026494, 2026926    
Bug Blocks: 2025723, 2025729    

Description Michael Kaplan 2021-11-22 20:22:19 UTC 
On Linux 3.6 and later is is possible to leak or corrupt data that resides on
hugetlbs. Such data can reside on hugetlbfs, for instance, if the victim runs
mmap() using the MAP_HUGETLB or shmget() with SHM_HUGETLB.

The bug is caused due to a missing TLB flush when unmapping of a page of PMDs
is performed by clearing a PUD. While the comment in the code claims that it
is safe, it is not since no flush would take place under these circumstances
(unless, of course it was needed for some other reason).
Comment 3 Guilherme de Almeida Suckevicz 2021-11-26 13:50:34 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2026926]
Comment 9 errata-xmlrpc 2022-05-10 14:40:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
Comment 10 errata-xmlrpc 2022-05-10 14:46:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
Comment 11 Product Security DevOps Team 2022-05-11 12:45:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4002