Home PageAlibaba Cloud LinuxSupportFAQ about Alibaba Cloud LinuxVulnerability CVE-2021-33909 in Alibaba Cloud Linux 2 ECS instances
Search for Help Content

Vulnerability CVE-2021-33909 in Alibaba Cloud Linux 2 ECS instances

Updated at: 2023-12-08 03:46
Product
Community

Problem description

Vulnerability CVE-2021-33909 may cause a system failure in some scenarios. The vulnerability exists in Elastic Compute Service (ECS) instances that run Alibaba Cloud Linux 2 and have the following properties:

  • Image: Alibaba Cloud Linux 2.1903 LTS 64-bit
  • Kernel:kernel-4.19.91-24.al7 or earlier

The following call stack information is shown during the system failure.

[  415.961724] BUG: unable to handle kernel paging request at ffffb807c2f1aff6
[  415.963259] PGD 42f53b067 P4D 42f53b067 PUD 0
[  415.964201] Oops: 0002 [#1] SMP PTI
[  415.965026] CPU: 5 PID: 1537 Comm: seq_poc Kdump: loaded Tainted: G        W         4.19.91-23.al7.x86_64 #1
[  415.967154] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  415.968353] RIP: 0010:__memcpy+0x12/0x20
[  415.969187] Code: 48 c1 e2 20 48 09 c2 48 31 d3 e9 68 ff ff ff 90 90 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  415.973070] RSP: 0018:ffffb80802097dd8 EFLAGS: 00010202
[  415.974159] RAX: ffffb807c2f1aff6 RBX: ffff8a85f9593450 RCX: 0000000000000001
[  415.975638] RDX: 0000000000000002 RSI: ffffffff9b0c231c RDI: ffffb807c2f1aff6
[  415.977097] RBP: ffffb80842f1b000 R08: ffffffff9b0c231c R09: 0000000000000001
[  415.978563] R10: ffffe41e47d4fa80 R11: ffffe41e47d4fac0 R12: ffffffff9b0a9cc2
[  415.980168] R13: ffff8a87a83eaa00 R14: ffffb80802097f10 R15: ffff8a87ad6de700
[  415.981664] FS:  00007f9ef5d86740(0000) GS:ffff8a87afb40000(0000) knlGS:0000000000000000
[  415.983464] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  415.984722] CR2: ffffb807c2f1aff6 CR3: 0000000279c40005 CR4: 00000000000606e0
[  415.986253] Call Trace:
[  415.986802]  prepend+0x23/0x30
[  415.987517]  dentry_path+0x7e/0xa0
[  415.988249]  seq_dentry+0x36/0xa0
[  415.988954]  show_mountinfo+0x203/0x280
[  415.989764]  seq_read+0x14a/0x3d0
[  415.990514]  vfs_read+0x89/0x130
[  415.991209]  ksys_read+0x4a/0xc0
[  415.991898]  do_syscall_64+0x5b/0x1b0
[  415.992661]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  415.993713] RIP: 0033:0x7f9ef5891a30
[  415.994450] Code: 0b 31 c0 48 83 c4 08 e9 be fe ff ff 48 8d 3d c7 c3 09 00 e8 42 8c 02 00 66 90 83 3d 8d d5 2d 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de cc 01 00 48 89 04 24
[  415.998217] RSP: 002b:00007f9ef5d84f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  415.999792] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ef5891a30
[  416.001249] RDX: 0000000000000400 RSI: 0000000000603240 RDI: 0000000000000003
[  416.002794] RBP: 00007f9ef5d84ff0 R08: 0000000000603240 R09: 00007f9ef58fcc30
[  416.004310] R10: 00007f9ef5d849e0 R11: 0000000000000246 R12: 0000000000400c00
[  416.005786] R13: 00007ffcf5fdd070 R14: 0000000000000000 R15: 0000000000000000
[  416.007255] Modules linked in: sunrpc intel_rapl_msr intel_rapl_common iosf_mbi sb_edac crct10dif_pclmul crc32_pclmul mousedev ghash_clmulni_intel pcbc aesni_intel psmouse i2c_piix4 crypto_simd cryptd pcspkr glue_helper ip_tables ata_generic pata_acpi cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ata_piix uhci_hcd drm crc32c_intel libata serio_raw i2c_core floppy
[  416.014226] CR2: ffffb807c2f1aff6
[  416.014952] ---[ end trace 558647d5169dc4e0 ]---
[  416.015915] RIP: 0010:__memcpy+0x12/0x20
[  416.016733] Code: 48 c1 e2 20 48 09 c2 48 31 d3 e9 68 ff ff ff 90 90 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  416.024072] RSP: 0018:ffffb80802097dd8 EFLAGS: 00010202
[  416.026964] RAX: ffffb807c2f1aff6 RBX: ffff8a85f9593450 RCX: 0000000000000001
[  416.030291] RDX: 0000000000000002 RSI: ffffffff9b0c231c RDI: ffffb807c2f1aff6
[  416.033583] RBP: ffffb80842f1b000 R08: ffffffff9b0c231c R09: 0000000000000001
[  416.036819] R10: ffffe41e47d4fa80 R11: ffffe41e47d4fac0 R12: ffffffff9b0a9cc2
[  416.040063] R13: ffff8a87a83eaa00 R14: ffffb80802097f10 R15: ffff8a87ad6de700
[  416.043332] FS:  00007f9ef5d86740(0000) GS:ffff8a87afb40000(0000) knlGS:0000000000000000
[  416.046754] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  416.049766] CR2: ffffb807c2f1aff6 CR3: 0000000279c40005 CR4: 00000000000606e0
[  416.052964] Kernel panic - not syncing: Fatal exception

Cause

When other kernel functions use the 64 bit size_t(unsigned long) parameter of the seq_buf_alloc function, these functions change the data type of the parameter value to int, which causes 64-bit digits to be truncated to 32-bit digits. Attackers can then exploit the vulnerability to tamper with and execute your code. The vulnerability in hosts can be exploited to escalate privileges of operators, and the vulnerability in containers can make the host fail or make the container escape. For more information, see Sequoia: A Local Privilege Escalation Vulnerability in Linux's Filesystem Layer (CVE-2021-33909).

Solution

Note

Take note of the following items:

  • Before you perform high-risk operations such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • You can modify the configurations and data of Alibaba Cloud instances such as ECS and ApsaraDB RDS instances. We recommend that you create snapshots or enable RDS log backup before you modify instance configurations or data.
  • If you have granted permissions to users or submitted sensitive information such as logon accounts and passwords in Alibaba Cloud Management Console, we recommend that you modify the information in a timely manner.

You can perform the following steps to troubleshoot the problem:

  1. Log on to the ECS instance. For more information, see Overview.
  2. Run the following command to check whether one of the following solutions is applicable to your system kernel version: 
    uname -r
    If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version: 
     4.19.91-21.al7.x86_64
  3. Select one of the following solutions based on your system kernel version:
    • For kernel versions earlier than 4.19.91-19.1.al7.x86_64, you can perform the following steps:
      1. Run the following command to update the kernel of the operating system to the latest version: 
        yum update kernel
      2. Run the following command to restart the server for the new kernel version to take effect: 
        reboot
      3. If the problem persists, run the following command to install a hot patch for the kernel.
    • For kernel versions from V4.19.91-19.1.al7.x86_64 to V4.19.91-24.al7.x86_64, you can run the following command to install a hot patch for the kernel: 
      yum install -y kernel-hotfix-5956925-`uname -r | awk -F"-" '{print $NF}'`

Applicable scope

  • ECS
Previous: How do I use the crash_kexec_post_notifiers parameter to resolve the issue that vmcore files are not generated?Next: What do I do if the value of load is greater than 1 when Alibaba Cloud Linux 3 does not have load?
  • On this page (1)
  • Problem description
  • Cause
  • Solution
  • Applicable scope
Feedback