CVE-2021-47227

{"id": "CVE-2021-47227", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:11.900", "references": [{"url": "https://git.kernel.org/stable/c/076f732b16a5bf842686e1b43ab6021a2d98233e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/484cea4f362e1eeb5c869abbfb5f90eae6421b38", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ec25ea1f3f05d6f8ee51d1277efea986eafd4f2a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/076f732b16a5bf842686e1b43ab6021a2d98233e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/484cea4f362e1eeb5c869abbfb5f90eae6421b38", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/ec25ea1f3f05d6f8ee51d1277efea986eafd4f2a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Prevent state corruption in __fpu__restore_sig()\n\nThe non-compacted slowpath uses __copy_from_user() and copies the entire\nuser buffer into the kernel buffer, verbatim. This means that the kernel\nbuffer may now contain entirely invalid state on which XRSTOR will #GP.\nvalidate_user_xstate_header() can detect some of that corruption, but that\nleaves the onus on callers to clear the buffer.\n\nPrior to XSAVES support, it was possible just to reinitialize the buffer,\ncompletely, but with supervisor states that is not longer possible as the\nbuffer clearing code split got it backwards. Fixing that is possible but\nnot corrupting the state in the first place is more robust.\n\nAvoid corruption of the kernel XSAVE buffer by using copy_user_to_xstate()\nwhich validates the XSAVE header contents before copying the actual states\nto the kernel. copy_user_to_xstate() was previously only called for\ncompacted-format kernel buffers, but it works for both compacted and\nnon-compacted forms.\n\nUsing it for the non-compacted form is slower because of multiple\n__copy_from_user() operations, but that cost is less important than robust\ncode in an already slow path.\n\n[ Changelog polished by Dave Hansen ]"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: x86/fpu: evita la corrupci\u00f3n del estado en __fpu__restore_sig() La ruta lenta no compactada usa __copy_from_user() y copia todo el b\u00fafer del usuario en el b\u00fafer del kernel, palabra por palabra. Esto significa que el b\u00fafer del kernel ahora puede contener un estado completamente inv\u00e1lido en el que XRSTOR realizar\u00e1 #GP. validar_user_xstate_header() puede detectar parte de esa corrupci\u00f3n, pero eso deja a las personas que llaman la responsabilidad de borrar el b\u00fafer. Antes de la compatibilidad con XSAVES, era posible simplemente reinicializar el b\u00fafer por completo, pero con los estados del supervisor eso ya no es posible porque la divisi\u00f3n del c\u00f3digo de borrado del b\u00fafer lo hac\u00eda al rev\u00e9s. Arreglar eso es posible, pero no corromper al Estado en primer lugar es m\u00e1s s\u00f3lido. Evite la corrupci\u00f3n del b\u00fafer XSAVE del kernel utilizando copy_user_to_xstate() que valida el contenido del encabezado XSAVE antes de copiar los estados reales al kernel. copy_user_to_xstate() anteriormente solo se llamaba para buffers del kernel en formato compacto, pero funciona tanto para formatos compactos como no compactos. Usarlo para el formato no compacto es m\u00e1s lento debido a m\u00faltiples operaciones __copy_from_user(), pero ese costo es menos importante que el c\u00f3digo robusto en una ruta que ya es lenta. [Registro de cambios pulido por Dave Hansen]"}], "lastModified": "2025-04-29T19:41:06.873", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD060971-E88B-4295-B40F-7C6C358E1541", "versionEndExcluding": "5.10.46", "versionStartIncluding": "5.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7806E7E5-6D4F-4E18-81C1-79B3C60EE855", "versionEndExcluding": "5.12.13", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1ECD33F5-85BE-430B-8F86-8D7BD560311D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF351855-2437-4CF5-AD7C-BDFA51F27683"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "25A855BA-2118-44F2-90EF-EBBB12AF51EF"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}