CVE-2021-47531

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47531
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47531.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47531
Related
Published
2024-05-24T15:15:16Z
Modified
2024-09-18T01:00:20Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm: Fix mmap to include VMIO and VMDONTDUMP

In commit 510410bfc034 ("drm/msm: Implement mmap as GEM object function") we switched to a new/cleaner method of doing things. That's good, but we missed a little bit.

Before that commit, we used to first run through the drmgemmmap_obj() case where obj->funcs->mmap() was NULL. That meant that we ran:

vma->vmflags |= VMIO | VMPFNMAP | VMDONTEXPAND | VMDONTDUMP; vma->vmpageprot = pgprotwritecombine(vmgetpageprot(vma->vmflags)); vma->vmpageprot = pgprotdecrypted(vma->vmpage_prot);

...and then we modified those mappings with our own. Now that obj->funcs->mmap() is no longer NULL we don't run the default code. It looks like the fact that the vmflags got VMIO / VM_DONTDUMP was important because we're now getting crashes on Chromebooks that use ARC++ while logging out. Specifically a crash that looks like this (this is on a 5.10 kernel w/ relevant backports but also seen on a 5.15 kernel):

Unable to handle kernel paging request at virtual address ffffffc008000000 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000008293d000 [ffffffc008000000] pgd=00000001002b3003, p4d=00000001002b3003, pud=00000001002b3003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP [...] CPU: 7 PID: 15734 Comm: crashdump64 Tainted: G W 5.10.67 #1 [...] Hardware name: Qualcomm Technologies, Inc. sc7280 IDP SKU2 platform (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO BTYPE=--) pc : _archcopytouser+0xc0/0x30c lr : copyout+0xac/0x14c [...] Call trace: _archcopytouser+0xc0/0x30c copypagetoiter+0x1a0/0x294 processvmrwcore+0x240/0x408 processvmrw+0x110/0x16c _arm64sysprocessvmreadv+0x30/0x3c el0svccommon+0xf8/0x250 doel0svc+0x30/0x80 el0svc+0x10/0x1c el0synchandler+0x78/0x108 el0sync+0x184/0x1c0 Code: f8408423 f80008c3 910020c6 36100082 (b8404423)

Let's add the two flags back in.

While we're at it, the fact that we aren't running the default means that we don't need to clear out VM_PFNMAP, so remove that and save an instruction.

NOTE: it was confirmed that VMIO was the important flag to fix the problem I was seeing, but adding back VMDONTDUMP seems like a sane thing to do so I'm doing that too.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}