This topic describes how to fix the CVE-2021-22555 vulnerability in an Elastic Compute Service (ECS) instance that runs Alibaba Cloud Linux 2.
Problem description
The CVE-2021-22555 vulnerability exists in an instance that meets the following conditions, and causes a system failure when the instance runs. The following call stack information is displayed after the system failure occurs.
The instance uses the Alibaba Cloud Linux 2.1903 LTS 64-bit image.
The kernel version of the instance is kernel-4.19.91-24.al7 or earlier.
[ 104.019092] x_tables: ip6_tables: icmp6.0 match: invalid size 8 (kernel) != (user) 212
[ 104.020124] BUG: unable to handle kernel paging request at ffff9879000004b8
[ 104.020783] PGD 19a01067 P4D 19a01067 PUD 0
[ 104.021177] Oops: 0000 [#1] SMP PTI
[ 104.021526] CPU: 0 PID: 94 Comm: kworker/u4:1 Kdump: loaded Tainted: G O K 4.19.91-23.al7.x86_64 #1
[ 104.022389] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014
[ 104.023081] Workqueue: netns cleanup_net
[ 104.023450] RIP: 0010:netdev_queue_release+0x55/0xa0
[ 104.023892] Code: 48 ab 74 0a c7 07 00 00 00 00 48 83 c7 04 40 f6 c6 02 74 0a 31 c0 48 83 c7 02 66 89 47 fe 83 e6 01 74 03 c6 07 00 49 8b 40 e8 <48> 8b 80 b8 04 00 00 65 ff 08 c3 49 8d 78 01 41 c6 00 00 40 b6 3f
[ 104.025531] RSP: 0018:ffffa538804d3cc8 EFLAGS: 00010246
[ 104.025982] RAX: ffff987900000000 RBX: ffff9879bb277a18 RCX: 0000000000000000
[ 104.026638] RDX: ffff9879bb8b30c0 RSI: 0000000000000000 RDI: ffff9879bb277a58
[ 104.027374] RBP: ffffffffb615b0e0 R08: ffff9879bb277a18 R09: ffffffffb5323ef3
[ 104.028052] R10: ffff9879bda273a0 R11: fffff43400d73100 R12: ffff9879bbf73a20
[ 104.029397] R13: ffff9879bb277a18 R14: 0000000000000000 R15: ffffa538804d3e38
[ 104.030741] FS: 0000000000000000(0000) GS:ffff9879bda00000(0000) knlGS:0000000000000000
[ 104.032082] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 104.033189] CR2: ffff9879000004b8 CR3: 000000001720a001 CR4: 00000000003606f0
[ 104.034463] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 104.035894] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 104.037090] Call Trace:
[ 104.038012] kobject_put+0x81/0x1b0
[ 104.039167] netdev_queue_update_kobjects+0xbd/0x140
[ 104.040359] netdev_unregister_kobject+0x58/0x80
[ 104.041462] rollback_registered_many+0x2d5/0x550
[ 104.042593] ? netdev_run_todo+0x4d/0x2c0
[ 104.043678] unregister_netdevice_many+0x17/0x70
[ 104.044853] default_device_exit_batch+0x131/0x150
[ 104.045998] ? do_wait_intr_irq+0xb0/0xb0
[ 104.047282] cleanup_net+0x1a9/0x2a0
[ 104.048323] process_one_work+0x15b/0x370
[ 104.049384] worker_thread+0x49/0x3e0
[ 104.050406] kthread+0xf8/0x130
[ 104.051396] ? process_one_work+0x370/0x370
[ 104.052646] ? kthread_park+0xb0/0xb0
[ 104.053970] ret_from_fork+0x35/0x40
[ 104.055143] Modules linked in: tcp_diag inet_diag xt_NFQUEUE ip6_tables intel_rapl_msr intel_rapl_common iosf_mbi isst_if_common nfit crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd cryptd glue_helper kpatch_5902278(OK) psmouse mousedev pcspkr kpatch(O) pvpanic i2c_piix4 sunrpc ip_tables ata_generic pata_acpi cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix crc32c_intel serio_raw uhci_hcd i2c_core libata floppy [last unloaded: kpatch_xfkpQ0nwgmO]
[ 104.064254] CR2: ffff9879000004b8
[ 104.065832] ---[ end trace 7a2c6cfbc71f5ecf ]---
[ 104.067687] RIP: 0010:netdev_queue_release+0x55/0xa0
[ 104.069192] Code: 48 ab 74 0a c7 07 00 00 00 00 48 83 c7 04 40 f6 c6 02 74 0a 31 c0 48 83 c7 02 66 89 47 fe 83 e6 01 74 03 c6 07 00 49 8b 40 e8 <48> 8b 80 b8 04 00 00 65 ff 08 c3 49 8d 78 01 41 c6 00 00 40 b6 3f
[ 104.073459] RSP: 0018:ffffa538804d3cc8 EFLAGS: 00010246
[ 104.075654] RAX: ffff987900000000 RBX: ffff9879bb277a18 RCX: 0000000000000000
[ 104.077569] RDX: ffff9879bb8b30c0 RSI: 0000000000000000 RDI: ffff9879bb277a58
[ 104.079289] RBP: ffffffffb615b0e0 R08: ffff9879bb277a18 R09: ffffffffb5323ef3
[ 104.081150] R10: ffff9879bda273a0 R11: fffff43400d73100 R12: ffff9879bbf73a20
[ 104.083570] R13: ffff9879bb277a18 R14: 0000000000000000 R15: ffffa538804d3e38
[ 104.085397] FS: 0000000000000000(0000) GS:ffff9879bda00000(0000) knlGS:0000000000000000
[ 104.087283] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 104.088899] CR2: ffff9879000004b8 CR3: 000000001720a001 CR4: 00000000003606f0
[ 104.090584] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 104.092251] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 104.093895] Kernel panic - not syncing: Fatal exception
[ 104.099305] Kernel Offset: 0x34000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)Cause
The Netfilter module of the Linux kernel has a heap out-of-bounds write vulnerability when the module processes setsockopt IPT_SO_SET_REPLACE or IP6T_SO_SET_REPLACE. This vulnerability allows local users to escalate privileges by using user namespaces and can be exploited in kCTF to attack pod containers in Kubernetes clusters to achieve container escape. The preceding vulnerability has existed in the Linux kernel for 15 years. For more information, see Linux: Heap Out-Of-Bounds Write in xt_compat_target_from_user.
Solution
To resolve the preceding issue, perform the following steps:
Log on to the instance. For more information, see Connection methods.
Run the following command to check the kernel version of the instance:
uname -rA command output similar to the following one is displayed:
4.19.91-21.al7.x86_64Use one of the following methods based on the kernel version of the instance:
Method 1: For kernel versions earlier than 4.19.91-19.1.al7.x86_64, perform the following steps:
Run the following command to update the operating system to the latest kernel version:
yum update kernelRun the following command to restart the instance for the update to take effect:
rebootIf the issue persists after you update the operating system to the latest kernel version, use Method 2 to install a live patch.
Method 2: For kernel versions from 4.19.91-19.1.al7.x86_64 to 4.19.91-24.al7.x86_64, run the following command to install a live patch for the kernel:
yum install -y kernel-hotfix-5928799-`uname -r | awk -F"-" '{print $NF}'`