RHSB-2021-006 Long path name in mountpoint flaws in the kernel and systemd (CVE-2021-33909, CVE-2021-33910)

Public Date: July 20, 2021, 12:00 pm
Updated -
Resolved Status
Important Impact

Insights vulnerability analysis

View exposed systems

Red Hat is aware of two flaws caused by the incorrect handling of long path names. The first vulnerability is found within the Linux kernel, where a local attacker can escalate privileges and is assigned CVE-2021-33909. The second vulnerability is found in systemd, where a local attacker can crash systemd and the entire system and is assigned CVE-2021-33910.

Both flaws have a severity impact rating of Important.

The following Red Hat product versions are directly affected by CVE-2021-33909:

  • Red Hat Enterprise Linux 8

  • Red Hat Enterprise Linux 7

  • Red Hat Enterprise Linux 6

The following Red Hat product versions are directly affected by CVE-2021-33910:

  • Red Hat Enterprise Linux 8

Further, any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted. This includes:

  • Product containers based on the RHEL or UBI container images. Base images will be updated to include fixes for this flaw, please ensure containers are current. The Container Health Index, part of the Red Hat Container Catalog, can be used to verify the security status of Red Hat containers.

  • Products that pull packages from the RHEL channel (this includes layered products such as OpenShift Container Platform, OpenStack, Red Hat Virtualization, and others). Please ensure that the underlying RHEL kernel and systemd packages are current in these product environments.

To determine if your system is currently vulnerable to these flaws, see the Diagnose section below.

These two vulnerabilities exploit conditions when files with a long path are not handled correctly.

The first vulnerability (CVE-2021-33909) is an attack against the Linux kernel. An unprivileged local attacker can exploit this vulnerability by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. A successful attack results in privilege escalation.

The second vulnerability (CVE-2021-33910) is an attack against systemd (the system and service manager) and requires a local attacker with the ability to mount a filesystem with a long path. This attack causes systemd, the services it manages, and the entire system to crash and stop responding.

Red Hat has investigated whether possible mitigation exists for this issue and has not been able to identify a practical example. Please update the affected package as soon as possible.

Researchers reported the following two vulnerabilities. A short description of each flaw and its impact are listed below. 

CVE-2021-33909

An out-of-bounds write flaw was found in the Linux kernel's seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations. 

This vulnerability is a type conversion vulnerability in the filesystem layer of the Linux kernel. A type conversion vulnerability is a condition when converting between two types and can lead to an overflow, creating a large negative value.

An attacker must be able to:

  • Create a long path

  • Mount a filesystem at this location

  • Delete the mount point

  • Read the /proc/<pid>/mountinfo file

This issue will be triggered, resulting in writing over kernel memory at a controllable offset.

The mountinfo file is an example of a seq_file, which is a virtual file through which the kernel presents a sequence of records. Each record must fit into a seq_file buffer, whose size is tracked as a size_t (a 64-bit unsigned value). The problem manifests when a very long mountpoint path is used in the show_mountinfo function.  

This process expects an int as the buffer length (a 32-bit signed value) as shown below: 

show_mountinfo() -> seq_dentry() -> dentry_path((.. , .. , int buflen) 

Note that “buflen” may cause a size_t-to-int conversion problem, transforming the number to a negative value and later causing an out-of-bounds access vulnerability.     

When the mountpoint is still in use but the path has been deleted, the incorrectly calculated value is used as an offset to write the string “//deleted” outside the allocated buffer. Because the value is negative, it writes to a location between 2GB and 10 bytes before the intended buffer location.

Writing at this offset creates a denial of service, crashes the system, and causes memory corruption or privilege escalation by targeting specific memory locations.

CVE-2021-33910

A flaw was found in systemd. The use of alloca function with an uncontrolled size in function unit_name_path_escape allows a local attacker, able to mount a filesystem on a very long path, to crash systemd and the whole system by allocating a very large space in the stack.

This is an attacker-controlled alloca() in systemd, which allows a local attacker to crash the systemd service (PID 1) and the entire system. Alloca() is used to allocate space required by a program on the stack. It should not be used when the requested size is controlled by a user or when it is too large, as otherwise, the program may write outside of the allocated stack space and crash. 

Systemd constantly monitors the /proc/self/mountinfo file to get details about mounted filesystems and internally duplicates the mount point string using alloca(). If an attacker can mount a filesystem on a very long path (ex. by using FUSE), they may trigger this issue and crash the system.

This issue did not affect the versions of systemd as shipped with Red Hat Enterprise Linux 7 as they did not use strdupa(), which uses alloca() underneath, to duplicate strings in the unit_name_path_escape() function, but strdup(), which allocates space on the heap.


CVE-2021-33909 (kernel)

Important

CVE-2021-33910 (systemd)

Important

Red Hat Enterprise Linux 8

Affected - Fixes will be made available for all active streams.  

Affected - Fixes will be made available for all active streams.  

Red Hat Enterprise Linux 7

Affected - Fixes will be made available for all active streams.  

Not affected

Red Hat Enterprise Linux 6

Affected - Fixes will be made available for all active streams.  

Not affected

Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as errata are available. Customers are urged to apply the available updates immediately and enable the mitigations as they feel appropriate.  

Product

Component(s)

Advisory/Update [1]

Red Hat Enterprise Linux 8 

kernel

RHSA-2021:2714


kernel-rt

RHSA-2021:2715


kpatch

RHSA-2021:2716


systemd

RHSA-2021:2717

Red Hat Enterprise Linux 8.2.0 Extended Update Support [2]

kernel

RHSA-2021:2718


kernel-rt

RHSA-2021:2719


kpatch

RHSA-2021:2720


systemd

RHSA-2021:2721

Red Hat Enterprise Linux 8.1.0 Extended Update Support [2]

kernel

RHSA-2021:2722


kpatch

RHSA-2021:2723


systemd

RHSA-2021:2724

Red Hat Enterprise Linux 7

kernel

RHSA-2021:2725


kernel-rt

RHSA-2021:2726


kpatch

RHSA-2021:2727

Red Hat Enterprise Linux 7.7 Extended Update Support [2]

kernel

RHSA-2021:2728


kpatch

RHSA-2021:2729

Red Hat Enterprise Linux 7.6 Extended Update Support [2]

kernel

RHSA-2021:2730


kpatch

RHSA-2021:2731

Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Advanced Update Support [3],[4]


kernel

RHSA-2021:2732

Red Hat Enterprise Linux 7.3 Advanced Update Support [4]


kernel

RHSA-2021:2733


Red Hat Enterprise Linux 7.2 Advanced Update Support [4]


kernel

RHSA-2021:2734

Red Hat Enterprise Linux 6 Extended Life-cycle Support [5]

kernel

RHSA-2021:2735

Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

redhat-virtualization-host

RHSA-2021:2736

Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

redhat-virtualization-host

RHSA-2021:2737



[1] Advisory/Update link will be added once updates are live.

[2] What is the Red Hat Enterprise Linux Extended Update Support (EUS) Subscription?

[3] What is Advanced mission critical Update Support (AUS)?

[4] What is the Red Hat Enterprise Linux SAP Solutions subscription?

[5] An active Extended Life-cycle Support (ELS) subscription is required for access to this patch. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription.

A vulnerability detection script has been developed to determine if your system is currently vulnerable to this flaw. To verify the authenticity of the script, you can download the detached GPG signature as well. Instructions on how to use GPG signature for verification are available on the Customer Portal. 

Current version: 1.1

3 Comments

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

Can you expand on further on the dependencies needed for this exploit to work?

"An attacker must be able to: [...] Mount a filesystem at this location".

What can a non-privileged user mount on a regular server install? Without installing fuse stuff etc. You can't even use mount --bind without root.

Unprivileged namespace, namespaced root is able to bind mount, which makes this exploit possible on rhel-8, where unprivileged user namespaces are enabled by default.

Also, kindly reach us at access.redhat.com/support for further information on dependencies.

You can kpatch the kernel to address CVE-2021-33909 on RHEL 7 / 8. For CVE-2021-33910, is a reboot required to fully address it ?