CVE-2021-46904: Addressing Linux Kernel Null-Ptr-Deref Vulnerability in TTY Device Unregistration

A recent vulnerability in the Linux kernel, designated as CVE-2021-46904, has been resolved. The issue pertains to the net subsystem and hso (High-Speed Option) drivers, which handle Focus Infocom HSO devices in the Linux kernel. The vulnerability results in a null-ptr-deref (null pointer dereference) during the unregistration of tty (teletype) devices. This post includes a snippet of the code that demonstrates the issue, links to primary references, and details on the exploit of this vulnerability. As always, we will use simple American language and keep the text exclusive.

Code Snippet

The problematic portion of the code is in the get_free_serial_index() function, which is responsible for returning an available minor number, but doesn't assign it immediately. This leads to multiple ttys trying to claim the same minor number, causing a double unregistration of the same device.

Original References

For detailed information on this vulnerability, review the commit message that resolves the issue and the references provided:
1. Linux kernel source (commit)
2. Official CVE listing

Exploit Details

The exploitation of this vulnerability occurs during the tty device unregistration process. When multiple ttys attempt to claim the same minor number, the first unregistration succeeds. However, the subsequent unregistration of the same device leads to a null pointer dereference, which can cause system crashes and potentially could be leveraged by malicious actors for other nefarious purposes.

Fix Details

The fix involves modifying the get_free_serial_index() function to assign the minor number immediately after it is found available. After making this change, the function is renamed to obtain_minor() to better reflect its purpose. Additionally, the set_serial_by_index() function is renamed to release_minor() and altered to free up the minor number of the given hso_serial. Consequently, every call to obtain_minor() should now have a corresponding release_minor() call.

In summary, the community should update their Linux kernel installations to ensure they don't fall victim to this vulnerability. The CVE-2021-46904 issue demonstrates the importance of continuous code reviews and vulnerability patching to maintain the security and stability of open-source systems.

Timeline

Published on: 02/26/2024 16:27:45 UTC
Last modified on: 04/17/2024 19:33:10 UTC