The Linux kernel is known for its reliability and security. However, it's not immune to vulnerabilities. In this post, we are going to discuss a recently resolved Linux kernel vulnerability (CVE-2021-46961) related to IRQ handling, specifically in the irqchip/gic-v3 subsystem.

The vulnerability arises when the Linux kernel enables interrupts while handling spurious interrupts. This issue was discovered while running a 4.19 kernel with the pseudo-NMI patches backported to it.

The problem occurs when a spurious interrupt leads to a nested NMI (Non-Maskable Interrupt) situation, which the kernel cannot handle. The log excerpt below shows a kernel panic caused by this vulnerability:

...
[   14.816258] Modules linked in: start_dp(O) smeth(O)
[   15.103092] ---[ end trace 701753956cb14aa8 ]---
[   15.103093] Kernel panic - not syncing: Fatal exception in interrupt
[   15.103099] SMP: stopping secondary CPUs
[   15.103100] Kernel Offset: disabled
[   15.103100] CPU features: x36,a2400218
[   15.103100] Memory Limit: none

To fix this issue, the handling of spurious interrupts was moved as early as possible in the GICv3 handler. This change ensures that spurious interrupts do not result in any state change, thus preventing the nested NMI situation.

1. Linux kernel mailing list discussion
2. Kernel Git Commit

If you are using a Linux kernel version with the affected irqchip/gic-v3 subsystem, it is highly recommended to update your kernel to a version that includes the fix for this vulnerability (CVE-2021-46961). By doing so, you can ensure your system's stability and prevent potential kernel panics caused by this issue.

In summary, the Linux kernel vulnerability CVE-2021-46961 highlights the importance of keeping your kernel up-to-date with the latest security patches. Always monitor announcements for new releases and security fixes to ensure your system remains secure from potential threats.

Timeline

Published on: 02/27/2024 19:04:06 UTC
Last modified on: 02/28/2024 14:06:45 UTC