CVE-2021-47618 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
ARM: 9170/1: fix panic when kasan and kprobe are enabled
arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic.
the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files.
for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr}
e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ;
ebfc7bf8 bl c03aa4b4 e595706c ldr r7, [r5, #108] ; 0x6c
e2859014 add r9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 : e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr}
e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 e2890010 add r0, r9, #16 ebf35458 bl c03c6530 e5990010 ldr r0, [r9, #16]
e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ......
when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000
Internal error: Oops: 206 [#1] SMP ARM
PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/04/2025
The vulnerability described in CVE-2021-47618 affects the Linux kernel's handling of kernel debugging features when both Kernel Address Sanitizer (KASAN) and kprobes are enabled simultaneously on ARM32 architectures. This issue stems from an incompatibility between the memory error detection mechanisms of KASAN and the instruction emulation processes used by kprobes. The core problem manifests when kprobe attempts to emulate instructions by constructing assembly functions in C code, requiring specific register binding relationships for execution. When KASAN is enabled, it disrupts these register bindings, leading to instruction simulation failures and ultimately causing kernel panics.
The technical flaw occurs in the kprobe implementation where the emulate instruction functions are distributed across multiple files including actions-common.c, actions-arm.c, and actions-thumb.c. The kernel's approach to handle this conflict involves disabling KASAN compilation for these specific files to prevent register binding destruction during instruction emulation. This vulnerability specifically impacts ARM32 systems where kprobes are used for kernel debugging and tracing operations, particularly when inserting probes on functions like cap_capable+20 after KASAN has been enabled in the kernel runtime environment.
The operational impact of this vulnerability is significant for system administrators and security researchers who rely on both KASAN for memory error detection and kprobes for kernel debugging. When a kernel panic occurs due to this condition, the system becomes unstable and may require rebooting to recover. The panic typically manifests during the execution of emulate_ldr functions where the kernel attempts to simulate memory load instructions, resulting in NULL pointer dereferences at virtual address 0x00000090. This vulnerability directly relates to CWE-121 and CWE-125 which address buffer overflow and out-of-bounds memory access issues, and aligns with ATT&CK techniques involving kernel debugging and system introspection. The issue affects the integrity and availability of kernel operations, particularly in environments where memory safety and kernel debugging capabilities are simultaneously required.
The recommended mitigation strategy involves either disabling KASAN when kprobes are needed, or ensuring that kprobes are configured to operate before KASAN is enabled in the kernel boot sequence. System administrators should also consider using alternative debugging approaches that don't rely on both features simultaneously, particularly in production environments where kernel stability is critical. Additionally, kernel version updates that include the specific fix for CVE-2021-47618 should be applied to address the underlying register binding conflicts that cause this instability. Organizations maintaining kernel debugging environments should implement proper testing procedures to verify compatibility between KASAN and kprobe configurations before deploying these features in critical systems.