Vulnerability in tracing module in kernel/trace/ring_buffer.c caused by a bug in rb_per_cpu_empty() that uses a stale value and could cause tracing_read_pipe() to be trapped in an event-polling loop infinitely. The victim process (that is trapped) will always be in running state, drain a lot of power and cannot be killed by any UNIX signal (including SIGKILL). This vulnerability can be exploited merely using bash script, with sufficient privilege to control tracefs (like root or has CAP_SYS_ADMIN capability). Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f0d6d9883c13174669f88adac4f0ee656cc16a
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1989166]
This was fixed for Fedora with the 5.13.6 stable kernel updates.
Patches: 1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67f0d6d9883c13174669f88adac4f0ee656cc16a - this one fixes the bug. 2. https://lore.kernel.org/stable/20210723125633.655004181@goodmis.org/ 3. https://lore.kernel.org/stable/20210723125633.840379520@goodmis.org/#t 7. https://lore.kernel.org/stable/20210723125634.584194330@goodmis.org/ , And Steven merged patch (patch #1) with other three patches, ran through his test and submitted to LKML for the next merge window of 5.14-rc2. The other patches (#2, #3, #7) fixes some other (less important, so no separate CVE) bug and style for other files of tracing module. The patch #1 fixes buggy conditional in rb_per_cpu_empty() and thus prevents deadloop outcome when using the same exploiting method. The combined patch: https://lore.kernel.org/lkml/20210723125527.767d1c18@oasis.local.home/
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4140 https://access.redhat.com/errata/RHSA-2021:4140
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4356 https://access.redhat.com/errata/RHSA-2021:4356
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3679