CVE-2021-47618

Описание

In the Linux kernel, the following vulnerability has been resolved: ARM: 9170/1: fix panic when kasan and kprobe are enabled arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic. the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files. for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: <cap_capable>: e92d47f0push{r4, r5, r6, r7, r8, r9, sl, lr} e1a05000movr5, r0 e280006caddr0, r0, #108 ; 0x6c e1a04001movr4, r1 e1a06002movr6, r2 e59fa090ldrsl, [pc, #144] ; ebfc7bf8blc03aa4b4 <__asan_load4> e595706cldrr7, [r5, #108] ; 0x6c e2859014addr9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 <emulate_ldr>: e92d47f0push{r4, r5, r6, r7, r8, r9, sl, lr} e282803caddr8, r2, #60 ; 0x3c e1a05000movr5, r0 e7e37855ubfxr7, r5, #16, #4 e1a00008movr0, r8 e1a09001movr9, r1 e1a04002movr4, r2 ebf35462blc03c6530 <__asan_load4> e357000fcmpr7, #15 e7e36655ubfxr6, r5, #12, #4 e205a00fandsl, r5, #15 0a000001beqc06f13bc <emulate_ldr+0x38> e0840107addr0, r4, r7, lsl #2 ebf3545cblc03c6530 <__asan_load4> e084010aaddr0, r4, sl, lsl #2 ebf3545ablc03c6530 <__asan_load4> e2890010addr0, r9, #16 ebf35458blc03c6530 <__asan_load4> e5990010ldrr0, [r9, #16] e12fff30blxr0 e356000fcmr6, #15 1a000014bnec06f1430 <emulate_ldr+0xac> e1a06000movr6, r0 e2840040addr0, r4, #64 ; 0x40 ...... when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)