All Products
Search
Document Center

Vulnerability CVE-2021-22555 in Alibaba Cloud Linux 2 ECS instances

Last Updated: Sep 01, 2021

Problem description

Vulnerability CVE-2021-22555 may cause a system failure in some scenarios. The vulnerability exists in Elastic Compute Service (ECS) instances that run Alibaba Cloud Linux 2 and have the following properties:

  • Image: Alibaba Cloud Linux 2.1903 LTS 64-bit
  • Kernel: kernel-4.19.91-24.al7 or earlier

The following call stack information is shown during the system failure.

[  104.019092] x_tables: ip6_tables: icmp6.0 match: invalid size 8 (kernel) != (user) 212
[  104.020124] BUG: unable to handle kernel paging request at ffff9879000004b8
[  104.020783] PGD 19a01067 P4D 19a01067 PUD 0 
[  104.021177] Oops: 0000 [#1] SMP PTI
[  104.021526] CPU: 0 PID: 94 Comm: kworker/u4:1 Kdump: loaded Tainted: G           O  K   4.19.91-23.al7.x86_64 #1
[  104.022389] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014
[  104.023081] Workqueue: netns cleanup_net
[  104.023450] RIP: 0010:netdev_queue_release+0x55/0xa0
[  104.023892] Code: 48 ab 74 0a c7 07 00 00 00 00 48 83 c7 04 40 f6 c6 02 74 0a 31 c0 48 83 c7 02 66 89 47 fe 83 e6 01 74 03 c6 07 00 49 8b 40 e8 <48> 8b 80 b8 04 00 00 65 ff 08 c3 49 8d 78 01 41 c6 00 00 40 b6 3f
[  104.025531] RSP: 0018:ffffa538804d3cc8 EFLAGS: 00010246
[  104.025982] RAX: ffff987900000000 RBX: ffff9879bb277a18 RCX: 0000000000000000
[  104.026638] RDX: ffff9879bb8b30c0 RSI: 0000000000000000 RDI: ffff9879bb277a58
[  104.027374] RBP: ffffffffb615b0e0 R08: ffff9879bb277a18 R09: ffffffffb5323ef3
[  104.028052] R10: ffff9879bda273a0 R11: fffff43400d73100 R12: ffff9879bbf73a20
[  104.029397] R13: ffff9879bb277a18 R14: 0000000000000000 R15: ffffa538804d3e38
[  104.030741] FS:  0000000000000000(0000) GS:ffff9879bda00000(0000) knlGS:0000000000000000
[  104.032082] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  104.033189] CR2: ffff9879000004b8 CR3: 000000001720a001 CR4: 00000000003606f0
[  104.034463] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  104.035894] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  104.037090] Call Trace:
[  104.038012]  kobject_put+0x81/0x1b0
[  104.039167]  netdev_queue_update_kobjects+0xbd/0x140
[  104.040359]  netdev_unregister_kobject+0x58/0x80
[  104.041462]  rollback_registered_many+0x2d5/0x550
[  104.042593]  ? netdev_run_todo+0x4d/0x2c0
[  104.043678]  unregister_netdevice_many+0x17/0x70
[  104.044853]  default_device_exit_batch+0x131/0x150
[  104.045998]  ? do_wait_intr_irq+0xb0/0xb0
[  104.047282]  cleanup_net+0x1a9/0x2a0
[  104.048323]  process_one_work+0x15b/0x370
[  104.049384]  worker_thread+0x49/0x3e0
[  104.050406]  kthread+0xf8/0x130
[  104.051396]  ? process_one_work+0x370/0x370
[  104.052646]  ? kthread_park+0xb0/0xb0
[  104.053970]  ret_from_fork+0x35/0x40
[  104.055143] Modules linked in: tcp_diag inet_diag xt_NFQUEUE ip6_tables intel_rapl_msr intel_rapl_common iosf_mbi isst_if_common nfit crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd cryptd glue_helper kpatch_5902278(OK) psmouse mousedev pcspkr kpatch(O) pvpanic i2c_piix4 sunrpc ip_tables ata_generic pata_acpi cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix crc32c_intel serio_raw uhci_hcd i2c_core libata floppy [last unloaded: kpatch_xfkpQ0nwgmO]
[  104.064254] CR2: ffff9879000004b8
[  104.065832] ---[ end trace 7a2c6cfbc71f5ecf ]---
[  104.067687] RIP: 0010:netdev_queue_release+0x55/0xa0
[  104.069192] Code: 48 ab 74 0a c7 07 00 00 00 00 48 83 c7 04 40 f6 c6 02 74 0a 31 c0 48 83 c7 02 66 89 47 fe 83 e6 01 74 03 c6 07 00 49 8b 40 e8 <48> 8b 80 b8 04 00 00 65 ff 08 c3 49 8d 78 01 41 c6 00 00 40 b6 3f
[  104.073459] RSP: 0018:ffffa538804d3cc8 EFLAGS: 00010246
[  104.075654] RAX: ffff987900000000 RBX: ffff9879bb277a18 RCX: 0000000000000000
[  104.077569] RDX: ffff9879bb8b30c0 RSI: 0000000000000000 RDI: ffff9879bb277a58
[  104.079289] RBP: ffffffffb615b0e0 R08: ffff9879bb277a18 R09: ffffffffb5323ef3
[  104.081150] R10: ffff9879bda273a0 R11: fffff43400d73100 R12: ffff9879bbf73a20
[  104.083570] R13: ffff9879bb277a18 R14: 0000000000000000 R15: ffffa538804d3e38
[  104.085397] FS:  0000000000000000(0000) GS:ffff9879bda00000(0000) knlGS:0000000000000000
[  104.087283] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  104.088899] CR2: ffff9879000004b8 CR3: 000000001720a001 CR4: 00000000003606f0
[  104.090584] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  104.092251] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  104.093895] Kernel panic - not syncing: Fatal exception
[  104.099305] Kernel Offset: 0x34000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Cause

The Netfilter module of the Linux kernel has a heap out-of-bounds write vulnerability when the module implements IPT_SO_SET_REPLACE or IP6T_SO_SET_REPLACE setsockopt. This vulnerability allows local users to escalate privilege by using the user namespace and can be exploited in kCTF to attack pod containers in Kubernetes clusters to achieve container escape. This vulnerability has existed in the Linux kernel for 15 years. For more information, see Linux: Heap Out-Of-Bounds Write in xt_compat_target_from_user.

Solution

Take note of the following items:

  • Before you perform high-risk operations such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • You can modify the configurations and data of Alibaba Cloud instances such as ECS and ApsaraDB RDS instances. We recommend that you create snapshots or enable RDS log backup before you modify instance configurations or data.
  • If you have granted permissions to users or submitted sensitive information such as logon accounts and passwords in Alibaba Cloud Management Console, we recommend that you modify the information in a timely manner.

You can perform the following steps to troubleshoot the problem:

  1. Log on to the ECS instance. For more information, see Overview.
  2. Run the following command to check whether one of the solutions is applicable to your system kernel version:
    uname -r
    If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version:
     4.19.91-21.al7.x86_64
  3. Select one of the following solutions based on your system kernel version:
    • For kernel versions earlier than 4.19.91-19.1.al7.x86_64, you can perform the following steps:
      1. Run the following command to update the kernel of the operating system to the latest version:
        yum update kernel
      2. Run the following command to restart the server for the new kernel version to take effect:
        reboot
      3. If the problem persists, run the following command to install a hot patch for the kernel.
    • For kernel versions from V4.19.91-19.1.al7.x86_64 to V4.19.91-24.al7.x86_64, you can run the following command to install a hot patch for the kernel:
      yum install -y kernel-hotfix-5928799-`uname -r | awk -F"-" '{print $NF}'`

Applicable scope

  • ECS