Bug 1989165 (CVE-2021-3679) - CVE-2021-3679 kernel: DoS in rb_per_cpu_empty()
Summary: CVE-2021-3679 kernel: DoS in rb_per_cpu_empty()
Alias: CVE-2021-3679
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1989166 1989485 1989486
Blocks: 1986380 1989644
TreeView+ depends on / blocked
Reported: 2021-08-02 14:59 UTC by Alex
Modified: 2021-11-09 21:53 UTC (History)
41 users (show)

Fixed In Version: kernel 5.14-rc3
Doc Type: If docs needed, set a value
Doc Text:
A lack of CPU resources in the Linux kernel tracing module functionality was found in the way users use the trace ring buffer in specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
Clone Of:
Last Closed: 2021-11-09 21:53:14 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4140 0 None None None 2021-11-09 17:23:58 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 18:27:59 UTC

Description Alex 2021-08-02 14:59:17 UTC
Vulnerability in tracing module in kernel/trace/ring_buffer.c caused by a bug in rb_per_cpu_empty() that uses a stale value and could cause tracing_read_pipe() to be trapped in an event-polling loop infinitely. 

The victim process (that is trapped) will always be in running state, drain a lot of power and cannot be killed by any UNIX signal (including SIGKILL).
This vulnerability can be exploited merely using bash script, with sufficient privilege to control tracefs (like root or has CAP_SYS_ADMIN capability).


Comment 1 Alex 2021-08-02 14:59:49 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1989166]

Comment 6 Justin M. Forbes 2021-08-03 17:47:28 UTC
This was fixed for Fedora with the 5.13.6 stable kernel updates.

Comment 7 Alex 2021-08-04 10:56:42 UTC
1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f0d6d9883c13174669f88adac4f0ee656cc16a
- this one fixes the bug.
2. https://lore.kernel.org/stable/20210723125633.655004181@goodmis.org/
3. https://lore.kernel.org/stable/20210723125633.840379520@goodmis.org/#t
7. https://lore.kernel.org/stable/20210723125634.584194330@goodmis.org/

, And Steven merged patch (patch #1) with other three patches, ran through his test and submitted to LKML for the next merge window of 5.14-rc2.

The other patches (#2, #3, #7) fixes some other (less important, so no separate CVE) bug and style for other files of tracing module. The patch #1 fixes buggy conditional in rb_per_cpu_empty() and thus prevents deadloop outcome when using the same exploiting method. The combined patch:

Comment 10 errata-xmlrpc 2021-11-09 17:23:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140

Comment 11 errata-xmlrpc 2021-11-09 18:27:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356

Comment 12 Product Security DevOps Team 2021-11-09 21:53:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.