Bug 2025726 (CVE-2021-4002) - CVE-2021-4002 kernel: possible leak or coruption of data residing on hugetlbfs
Summary: CVE-2021-4002 kernel: possible leak or coruption of data residing on hugetlbfs
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-4002
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2026494 2026376 2026377 2026378 2026926
Blocks: 2025723 2025729
TreeView+ depends on / blocked
 
Reported: 2021-11-22 20:22 UTC by Michael Kaplan
Modified: 2022-06-16 11:23 UTC (History)
49 users (show)

Fixed In Version: kernel 5.16 rc3
Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.
Clone Of:
Environment:
Last Closed: 2022-05-11 12:45:33 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2229 0 None None None 2022-05-12 11:26:55 UTC
Red Hat Product Errata RHBA-2022:4630 0 None None None 2022-05-18 11:46:40 UTC
Red Hat Product Errata RHBA-2022:4693 0 None None None 2022-05-19 05:11:05 UTC
Red Hat Product Errata RHBA-2022:4969 0 None None None 2022-06-08 18:40:16 UTC
Red Hat Product Errata RHBA-2022:5088 0 None None None 2022-06-16 11:23:32 UTC
Red Hat Product Errata RHSA-2022:1975 0 None None None 2022-05-10 14:40:21 UTC
Red Hat Product Errata RHSA-2022:1988 0 None None None 2022-05-10 14:46:18 UTC

Description Michael Kaplan 2021-11-22 20:22:19 UTC
On Linux 3.6 and later is is possible to leak or corrupt data that resides on
hugetlbs. Such data can reside on hugetlbfs, for instance, if the victim runs
mmap() using the MAP_HUGETLB or shmget() with SHM_HUGETLB.

The bug is caused due to a missing TLB flush when unmapping of a page of PMDs
is performed by clearing a PUD. While the comment in the code claims that it
is safe, it is not since no flush would take place under these circumstances
(unless, of course it was needed for some other reason).

Comment 3 Guilherme de Almeida Suckevicz 2021-11-26 13:50:34 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2026926]

Comment 9 errata-xmlrpc 2022-05-10 14:40:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975

Comment 10 errata-xmlrpc 2022-05-10 14:46:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988

Comment 11 Product Security DevOps Team 2022-05-11 12:45:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4002


Note You need to log in before you can comment on or make changes to this bug.