Resource Injection Affecting kernel-rt-debug-kvm package, versions *


Severity

Recommended
low

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL8-KERNELRTDEBUGKVM-7404522
  • published26 Jun 2024
  • disclosed25 Jun 2024

Introduced: 25 Jun 2024

CVE-2021-4440  (opens in a new tab)
CWE-99  (opens in a new tab)

How to fix?

There is no fixed version for RHEL:8 kernel-rt-debug-kvm.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-rt-debug-kvm package and not the kernel-rt-debug-kvm package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

x86/xen: Drop USERGS_SYSRET64 paravirt call

commit afd30525a659ac0ae0904f0cb4a2ca75522c3123 upstream.

USERGS_SYSRET64 is used to return from a syscall via SYSRET, but a Xen PV guest will nevertheless use the IRET hypercall, as there is no sysret PV hypercall defined.

So instead of testing all the prerequisites for doing a sysret and then mangling the stack for Xen PV again for doing an iret just use the iret exit from the beginning.

This can easily be done via an ALTERNATIVE like it is done for the sysenter compat case already.

It should be noted that this drops the optimization in Xen for not restoring a few registers when returning to user mode, but it seems as if the saved instructions in the kernel more than compensate for this drop (a kernel build in a Xen PV guest was slightly faster with this patch applied).

While at it remove the stale sysret32 remnants.

[ pawan: Brad Spengler and Salvatore Bonaccorso <carnil@debian.org> reported a problem with the 5.10 backport commit edc702b4a820 ("x86/entry_64: Add VERW just before userspace transition").

   When CONFIG_PARAVIRT_XXL=y, CLEAR_CPU_BUFFERS is not executed in
   syscall_return_via_sysret path as USERGS_SYSRET64 is runtime
   patched to:

.cpu_usergs_sysret64 = { 0x0f, 0x01, 0xf8, 0x48, 0x0f, 0x07 }, // swapgs; sysretq

which is missing CLEAR_CPU_BUFFERS. It turns out dropping USERGS_SYSRET64 simplifies the code, allowing CLEAR_CPU_BUFFERS to be explicitly added to syscall_return_via_sysret path. Below is with CONFIG_PARAVIRT_XXL=y and this patch applied:

syscall_return_via_sysret: ... &lt;+342&gt;: swapgs &lt;+345&gt;: xchg %ax,%ax &lt;+347&gt;: verw -0x1a2(%rip) &lt;------ &lt;+354&gt;: sysretq

]

CVSS Scores

version 3.1