What is the vulnerability that was fixed
CVE-2022-21499
On a Lockdown-enabled system, if an attacker gained access to the kernel debugger (KGDB and KDB), say, via serial console, he could directly access kernel's memory and bypass Lockdown protection. This vulnerability is considered as a high risk, but no real exploits are known to be.
Lockdown Mode explained
In version 5.4 the Linux kernel was enriched with a special "Lockdown" mode to limit the superuser from touching "sensitive" computer stuff. Without it, the root user was considered as God that can access practically everything. With the Lockdown mode activated, certain things are restricted on a kernel-level, such as:
- direct access to both Kernel and Application memory
- direct access to ports
- access to kernel core dumps
- installing kprobes
- installing BPF programs
- specifying kernel modules parameters that can lead to direct hardware access
- manipulation with ACPI tables
- loading of unsigned kernel modules
The Lockdown is implemented architecturally as Linux Security Module (along with SELinux and AppArmour) and enabled by during the Kernel build time (see CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY configuration directives).
Lockdown and kernel debuggers
KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port (for example, via a hypervisor console, which some cloud vendors provide over the network) could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered.
A new check for Lockdown mode enabled was added into the kgdb_cpu_enter function, along with new Lockdown reasons LOCKDOWN_DBG_WRITE_KERNEL and LOCKDOWN_DBG_READ_KERNEL.
Useful Links