CVE-2021-47584
📋 TL;DR
A divide-by-zero vulnerability in the Linux kernel's iocost block I/O controller allows local attackers to trigger a kernel panic (system crash) by manipulating cgroup configurations. This affects Linux systems using the blk-iocost feature for I/O resource control. Attackers need local access to the system to exploit this vulnerability.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to complete system crash and denial of service, potentially causing data loss or corruption if active I/O operations are interrupted.
Likely Case
Local denial of service through system crash, requiring physical or remote console access to reboot the system.
If Mitigated
No impact if the system is not using blk-iocost feature or has been patched.
🎯 Exploit Status
Requires local access and ability to manipulate cgroup configurations. The vulnerability is triggered through specific cgroup donation operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 3a1a4eb574178c21241a6200f4785572e661c472, a7c80674538f15f85d68138240aae440b8039519, edaa26334c117a584add6053f48d63a988d25a6e
Vendor Advisory: https://git.kernel.org/stable/c/3a1a4eb574178c21241a6200f4785572e661c472
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check with your distribution for backported patches. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable blk-iocost
linuxDisable the blk-iocost feature if not required
echo 'kernel.io_cost=0' >> /etc/sysctl.conf
sysctl -p
Restrict cgroup access
linuxLimit user access to cgroup manipulation
chmod 750 /sys/fs/cgroup
setfacl -m u:root:rwx /sys/fs/cgroup
🧯 If You Can't Patch
- Disable blk-iocost feature entirely
- Implement strict access controls on cgroup directories
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if blk-iocost is enabled: uname -r && grep -r 'blk-iocost' /sys/block/*/queueCheck Version:
uname -rVerify Fix Applied:
Verify kernel version contains fix commit: uname -r && zgrep -i '3a1a4eb574178c21241a6200f4785572e661c472' /boot/config*📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- 'divide-by-zero' errors in kernel logs
- 'iocg: invalid donation weights' warnings
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("divide-by-zero" OR "iocost" OR "donation weights")🔗 References
- https://git.kernel.org/stable/c/3a1a4eb574178c21241a6200f4785572e661c472
- https://git.kernel.org/stable/c/a7c80674538f15f85d68138240aae440b8039519
- https://git.kernel.org/stable/c/edaa26334c117a584add6053f48d63a988d25a6e
- https://git.kernel.org/stable/c/3a1a4eb574178c21241a6200f4785572e661c472
- https://git.kernel.org/stable/c/a7c80674538f15f85d68138240aae440b8039519
- https://git.kernel.org/stable/c/edaa26334c117a584add6053f48d63a988d25a6e
