CVE-2021-47430 x86/entry: Clear X86_FEATURE_SMAP when CONFIG_X86_SMAP=n

2024-05-2115:04:15

Linux

www.cve.org

linux kernel

vulnerability

x86/entry

x86_feature_smap

config_x86_smap

warning

cpu

smap

kernel config

syscall_nt selftest

nosmap parameter

entry-fuzz

satrandconfig

6.1 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.8%

JSON

In the Linux kernel, the following vulnerability has been resolved:

x86/entry: Clear X86_FEATURE_SMAP when CONFIG_X86_SMAP=n

Commit

3c73b81a9164 (“x86/entry, selftests: Further improve user entry sanity checks”)

added a warning if AC is set when in the kernel.

Commit

662a0221893a3d (“x86/entry: Fix AC assertion”)

changed the warning to only fire if the CPU supports SMAP.

However, the warning can still trigger on a machine that supports SMAP
but where it’s disabled in the kernel config and when running the
syscall_nt selftest, for example:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 49 at irqentry_enter_from_user_mode
CPU: 0 PID: 49 Comm: init Tainted: G T 5.15.0-rc4+ #98 e6202628ee053b4f310759978284bd8bb0ce6905
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:irqentry_enter_from_user_mode
…
Call Trace:
? irqentry_enter
? exc_general_protection
? asm_exc_general_protection
? asm_exc_general_protectio

IS_ENABLED(CONFIG_X86_SMAP) could be added to the warning condition, but
even this would not be enough in case SMAP is disabled at boot time with
the “nosmap” parameter.

To be consistent with “nosmap” behaviour, clear X86_FEATURE_SMAP when
!CONFIG_X86_SMAP.

Found using entry-fuzz + satrandconfig.

[ bp: Massage commit message. ]

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/kernel/cpu/common.c"
    ],
    "versions": [
      {
        "version": "3c73b81a9164",
        "lessThan": "f2447f6587b8",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "3c73b81a9164",
        "lessThan": "4e9ec1c65da9",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "3c73b81a9164",
        "lessThan": "3958b9c34c27",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/kernel/cpu/common.c"
    ],
    "versions": [
      {
        "version": "5.8",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.8",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.73",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.14.12",
        "lessThanOrEqual": "5.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]