CVE-2021-47227

2024-05-2115:15:11

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux

kernel

vulnerability

x86

fpu

state corruption

buffer

xsaves

xsave header

copy_user_to_xstate

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

x86/fpu: Prevent state corruption in __fpu__restore_sig()

The non-compacted slowpath uses __copy_from_user() and copies the entire
user buffer into the kernel buffer, verbatim. This means that the kernel
buffer may now contain entirely invalid state on which XRSTOR will #GP.
validate_user_xstate_header() can detect some of that corruption, but that
leaves the onus on callers to clear the buffer.

Prior to XSAVES support, it was possible just to reinitialize the buffer,
completely, but with supervisor states that is not longer possible as the
buffer clearing code split got it backwards. Fixing that is possible but
not corrupting the state in the first place is more robust.

Avoid corruption of the kernel XSAVE buffer by using copy_user_to_xstate()
which validates the XSAVE header contents before copying the actual states
to the kernel. copy_user_to_xstate() was previously only called for
compacted-format kernel buffers, but it works for both compacted and
non-compacted forms.

Using it for the non-compacted form is slower because of multiple
__copy_from_user() operations, but that cost is less important than robust
code in an already slow path.

[ Changelog polished by Dave Hansen ]

Affected configurations

Vulners

Node

linuxlinux_kernelRange5.8–5.10.46

linuxlinux_kernelRange5.11.0–5.12.13

linuxlinux_kernelRange5.13.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/kernel/fpu/signal.c"
    ],
    "versions": [
      {
        "version": "b860eb8dce59",
        "lessThan": "076f732b16a5",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b860eb8dce59",
        "lessThan": "ec25ea1f3f05",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b860eb8dce59",
        "lessThan": "484cea4f362e",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/kernel/fpu/signal.c"
    ],
    "versions": [
      {
        "version": "5.8",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.8",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.46",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.12.13",
        "lessThanOrEqual": "5.12.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.13",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]