All Products
Search
Document Center

:Fix the CVE-2021-33909 vulnerability in an Alibaba Cloud Linux instance

Last Updated:Apr 26, 2023

This topic describes how to fix the CVE-2021-33909 vulnerability in an Elastic Compute Service (ECS) instance that runs Alibaba Cloud Linux 2 or 3.

Problem description

The CVE-2021-33909 vulnerability exists in an instance that meets the following conditions, and causes a system failure on the instance. The following call stack information is displayed after the system failure occurs.

  • Alibaba Cloud Linux 2

    • Image: Alibaba Cloud Linux 2.1903 LTS 64-bit

    • Kernel: kernel-4.19.91-24.al7 or earlier

  • Alibaba Cloud Linux 3

    • Image: Alibaba Cloud Linux 3.2104 64-bit

    • Kernel: kernel-5.10.60-7.al8 or earlier

[  415.961724] BUG: unable to handle kernel paging request at ffffb807c2f1aff6
[  415.963259] PGD 42f53b067 P4D 42f53b067 PUD 0
[  415.964201] Oops: 0002 [#1] SMP PTI
[  415.965026] CPU: 5 PID: 1537 Comm: seq_poc Kdump: loaded Tainted: G        W         4.19.91-23.al7.x86_64 #1
[  415.967154] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  415.968353] RIP: 0010:__memcpy+0x12/0x20
[  415.969187] Code: 48 c1 e2 20 48 09 c2 48 31 d3 e9 68 ff ff ff 90 90 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  415.973070] RSP: 0018:ffffb80802097dd8 EFLAGS: 00010202
[  415.974159] RAX: ffffb807c2f1aff6 RBX: ffff8a85f9593450 RCX: 0000000000000001
[  415.975638] RDX: 0000000000000002 RSI: ffffffff9b0c231c RDI: ffffb807c2f1aff6
[  415.977097] RBP: ffffb80842f1b000 R08: ffffffff9b0c231c R09: 0000000000000001
[  415.978563] R10: ffffe41e47d4fa80 R11: ffffe41e47d4fac0 R12: ffffffff9b0a9cc2
[  415.980168] R13: ffff8a87a83eaa00 R14: ffffb80802097f10 R15: ffff8a87ad6de700
[  415.981664] FS:  00007f9ef5d86740(0000) GS:ffff8a87afb40000(0000) knlGS:0000000000000000
[  415.983464] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  415.984722] CR2: ffffb807c2f1aff6 CR3: 0000000279c40005 CR4: 00000000000606e0
[  415.986253] Call Trace:
[  415.986802]  prepend+0x23/0x30
[  415.987517]  dentry_path+0x7e/0xa0
[  415.988249]  seq_dentry+0x36/0xa0
[  415.988954]  show_mountinfo+0x203/0x280
[  415.989764]  seq_read+0x14a/0x3d0
[  415.990514]  vfs_read+0x89/0x130
[  415.991209]  ksys_read+0x4a/0xc0
[  415.991898]  do_syscall_64+0x5b/0x1b0
[  415.992661]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  415.993713] RIP: 0033:0x7f9ef5891a30
[  415.994450] Code: 0b 31 c0 48 83 c4 08 e9 be fe ff ff 48 8d 3d c7 c3 09 00 e8 42 8c 02 00 66 90 83 3d 8d d5 2d 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de cc 01 00 48 89 04 24
[  415.998217] RSP: 002b:00007f9ef5d84f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  415.999792] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ef5891a30
[  416.001249] RDX: 0000000000000400 RSI: 0000000000603240 RDI: 0000000000000003
[  416.002794] RBP: 00007f9ef5d84ff0 R08: 0000000000603240 R09: 00007f9ef58fcc30
[  416.004310] R10: 00007f9ef5d849e0 R11: 0000000000000246 R12: 0000000000400c00
[  416.005786] R13: 00007ffcf5fdd070 R14: 0000000000000000 R15: 0000000000000000
[  416.007255] Modules linked in: sunrpc intel_rapl_msr intel_rapl_common iosf_mbi sb_edac crct10dif_pclmul crc32_pclmul mousedev ghash_clmulni_intel pcbc aesni_intel psmouse i2c_piix4 crypto_simd cryptd pcspkr glue_helper ip_tables ata_generic pata_acpi cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ata_piix uhci_hcd drm crc32c_intel libata serio_raw i2c_core floppy
[  416.014226] CR2: ffffb807c2f1aff6
[  416.014952] ---[ end trace 558647d5169dc4e0 ]---
[  416.015915] RIP: 0010:__memcpy+0x12/0x20
[  416.016733] Code: 48 c1 e2 20 48 09 c2 48 31 d3 e9 68 ff ff ff 90 90 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  416.024072] RSP: 0018:ffffb80802097dd8 EFLAGS: 00010202
[  416.026964] RAX: ffffb807c2f1aff6 RBX: ffff8a85f9593450 RCX: 0000000000000001
[  416.030291] RDX: 0000000000000002 RSI: ffffffff9b0c231c RDI: ffffb807c2f1aff6
[  416.033583] RBP: ffffb80842f1b000 R08: ffffffff9b0c231c R09: 0000000000000001
[  416.036819] R10: ffffe41e47d4fa80 R11: ffffe41e47d4fac0 R12: ffffffff9b0a9cc2
[  416.040063] R13: ffff8a87a83eaa00 R14: ffffb80802097f10 R15: ffff8a87ad6de700
[  416.043332] FS:  00007f9ef5d86740(0000) GS:ffff8a87afb40000(0000) knlGS:0000000000000000
[  416.046754] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  416.049766] CR2: ffffb807c2f1aff6 CR3: 0000000279c40005 CR4: 00000000000606e0
[  416.052964] Kernel panic - not syncing: Fatal exception

Cause

seq_buf_alloc() uses the 64-bit unsigned long size_t argument. When other functions use size_t, they change the data type of size_t to int, which causes 64-bit integers to be truncated to 32 bits. This vulnerability can be exploited to tamper with and run arbitrary code. This vulnerability allows an escalation to root by unprivileged users and may lead to operating system crash in containers or container escape. For more information, see Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909).

Solutions

To resolve the preceding issue, perform the following steps:

  1. Log on to the instance. For more information, see Connection methods.

  2. Run the following command to check the kernel version of the instance:

    uname -r

    A command output that is similar to one of the following ones is displayed based on the operating system version of the instance.

    • Command output for Alibaba Cloud Linux 2

      4.19.91-21.al7.x86_64
    • Command output for Alibaba Cloud Linux 3

      5.10.60-7.al8.x86_64
  3. Use one of the following solutions based on the kernel version of the instance:

    Solutions for Alibaba Cloud Linux 2

    • Method 1: For kernel versions earlier than 4.19.91-19.1.al7.x86_64, perform the following steps:

      1. Run the following command to update to the latest kernel version:

        yum update kernel
      2. Run the following command to restart the instance for the update to take effect:

        reboot
      3. Install a live kernel patch.

        If the issue persists after you update to the latest kernel version, use Method 2 to install a live kernel patch.

    • Method 2: For kernel versions from 4.19.91-19.1.al7.x86_64 to 4.19.91-24.al7.x86_64, run the following command to install a live kernel patch:

      yum install -y kernel-hotfix-5956925-`uname -r | awk -F"-" '{print $NF}'`

    Solutions for Alibaba Cloud Linux 3

    • Method 1: For kernel versions earlier than kernel-5.10.60-8.al8, perform the following steps:

      1. Run the following command to update to the latest kernel version:

        yum update kernel
      2. Run the following command to restart the instance for the update to take effect:

        reboot
      3. Install a live kernel patch.

        If the issue persists after you update to the latest kernel version, use Method 2 to install a live kernel patch.

    • Method 2: For kernel version kernel-5.10.60-7.al8 or earlier, run the following command to install a live kernel patch.

      yum install -y kernel-hotfix-5956925-`uname -r | awk -F"-" '{print $NF}'`