Bug 1970273 (CVE-2021-33909) - CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer
Summary: CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesyst...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33909
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1976738 1970317 1970318 1970788 1974125 1974126 1975179 1975180 1975181 1975182 1975184 1975185 1975186 1975187 1975188 1975189 1975190 1975246 1975247 1975248 1975249 1975250 1975251 1975252 1975253 1975254 1975255 1975256 1975617 1975777 1975778 1976739 1976740 1976741 1977570 1977574 1984019
Blocks: 1969705
TreeView+ depends on / blocked
 
Reported: 2021-06-10 08:17 UTC by Rohit Keshri
Modified: 2022-04-17 21:27 UTC (History)
85 users (show)

Fixed In Version: kernel 5.14 rc3
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in the Linux kernel's seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash, leak of internal kernel information and can escalate privileges. The issue results from not validating the size_t-to-int conversion prior to performing operations. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.
Clone Of:
Environment:
Last Closed: 2021-07-20 21:54:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2897 0 None None None 2021-07-26 16:59:03 UTC
Red Hat Product Errata RHSA-2021:2714 0 None None None 2021-07-20 22:34:59 UTC
Red Hat Product Errata RHSA-2021:2715 0 None None None 2021-07-20 20:55:17 UTC
Red Hat Product Errata RHSA-2021:2716 0 None None None 2021-07-21 00:14:37 UTC
Red Hat Product Errata RHSA-2021:2718 0 None None None 2021-07-20 22:10:44 UTC
Red Hat Product Errata RHSA-2021:2719 0 None None None 2021-07-20 21:27:49 UTC
Red Hat Product Errata RHSA-2021:2720 0 None None None 2021-07-21 00:12:34 UTC
Red Hat Product Errata RHSA-2021:2722 0 None None None 2021-07-20 21:20:55 UTC
Red Hat Product Errata RHSA-2021:2723 0 None None None 2021-07-20 22:24:10 UTC
Red Hat Product Errata RHSA-2021:2725 0 None None None 2021-07-21 01:07:56 UTC
Red Hat Product Errata RHSA-2021:2726 0 None None None 2021-07-21 01:08:39 UTC
Red Hat Product Errata RHSA-2021:2727 0 None None None 2021-07-20 22:42:20 UTC
Red Hat Product Errata RHSA-2021:2728 0 None None None 2021-07-21 01:11:46 UTC
Red Hat Product Errata RHSA-2021:2729 0 None None None 2021-07-21 00:28:51 UTC
Red Hat Product Errata RHSA-2021:2730 0 None None None 2021-07-20 21:24:51 UTC
Red Hat Product Errata RHSA-2021:2731 0 None None None 2021-07-21 00:02:15 UTC
Red Hat Product Errata RHSA-2021:2732 0 None None None 2021-07-20 21:15:48 UTC
Red Hat Product Errata RHSA-2021:2733 0 None None None 2021-07-20 20:21:03 UTC
Red Hat Product Errata RHSA-2021:2734 0 None None None 2021-07-20 20:04:05 UTC
Red Hat Product Errata RHSA-2021:2735 0 None None None 2021-07-20 20:54:29 UTC
Red Hat Product Errata RHSA-2021:2736 0 None None None 2021-07-22 15:07:19 UTC
Red Hat Product Errata RHSA-2021:2737 0 None None None 2021-07-21 14:09:36 UTC
Red Hat Product Errata RHSA-2021:2763 0 None None None 2021-07-26 16:40:33 UTC

Description Rohit Keshri 2021-06-10 08:17:13 UTC
An out-of-bounds write flaw was found in the seq_file in Filesystem layer, where a local attacker with a user privilege could gain access to out-of-bound memory leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.

While creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

References:
https://www.openwall.com/lists/oss-security/2021/07/20/1
https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt

Fix:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b

Comment 18 Alexander Viro 2021-06-24 16:51:31 UTC
*shrug*
Just don't let the damn thing ask for vmalloc'ed buffer that large.
IOW, add to seq_buf_alloc() if (unlikely(size > MAX_RW_COUNT)) return NULL;
and be done with that.

Comment 63 Rohit Keshri 2021-07-20 12:43:04 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1984019]

Comment 66 errata-xmlrpc 2021-07-20 20:04:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:2734 https://access.redhat.com/errata/RHSA-2021:2734

Comment 67 errata-xmlrpc 2021-07-20 20:21:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:2733 https://access.redhat.com/errata/RHSA-2021:2733

Comment 68 errata-xmlrpc 2021-07-20 20:54:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2021:2735 https://access.redhat.com/errata/RHSA-2021:2735

Comment 69 errata-xmlrpc 2021-07-20 20:55:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2715 https://access.redhat.com/errata/RHSA-2021:2715

Comment 70 errata-xmlrpc 2021-07-20 21:15:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:2732 https://access.redhat.com/errata/RHSA-2021:2732

Comment 71 errata-xmlrpc 2021-07-20 21:20:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2722 https://access.redhat.com/errata/RHSA-2021:2722

Comment 72 errata-xmlrpc 2021-07-20 21:24:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:2730 https://access.redhat.com/errata/RHSA-2021:2730

Comment 73 errata-xmlrpc 2021-07-20 21:27:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2719 https://access.redhat.com/errata/RHSA-2021:2719

Comment 74 Product Security DevOps Team 2021-07-20 21:54:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33909

Comment 75 errata-xmlrpc 2021-07-20 22:10:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2718 https://access.redhat.com/errata/RHSA-2021:2718

Comment 76 errata-xmlrpc 2021-07-20 22:24:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2723 https://access.redhat.com/errata/RHSA-2021:2723

Comment 77 errata-xmlrpc 2021-07-20 22:34:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2714 https://access.redhat.com/errata/RHSA-2021:2714

Comment 78 errata-xmlrpc 2021-07-20 22:42:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2727 https://access.redhat.com/errata/RHSA-2021:2727

Comment 79 errata-xmlrpc 2021-07-21 00:02:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2021:2731 https://access.redhat.com/errata/RHSA-2021:2731

Comment 80 errata-xmlrpc 2021-07-21 00:12:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2720 https://access.redhat.com/errata/RHSA-2021:2720

Comment 81 errata-xmlrpc 2021-07-21 00:14:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2716 https://access.redhat.com/errata/RHSA-2021:2716

Comment 82 errata-xmlrpc 2021-07-21 00:28:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2729 https://access.redhat.com/errata/RHSA-2021:2729

Comment 83 errata-xmlrpc 2021-07-21 01:07:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2725 https://access.redhat.com/errata/RHSA-2021:2725

Comment 84 errata-xmlrpc 2021-07-21 01:08:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2726 https://access.redhat.com/errata/RHSA-2021:2726

Comment 85 errata-xmlrpc 2021-07-21 01:11:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2728 https://access.redhat.com/errata/RHSA-2021:2728

Comment 86 errata-xmlrpc 2021-07-21 14:09:24 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:2737 https://access.redhat.com/errata/RHSA-2021:2737

Comment 88 errata-xmlrpc 2021-07-22 15:07:05 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2736 https://access.redhat.com/errata/RHSA-2021:2736

Comment 91 errata-xmlrpc 2021-07-26 16:40:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2763 https://access.redhat.com/errata/RHSA-2021:2763


Note You need to log in before you can comment on or make changes to this bug.