CVE-2021-46905 - Linux Kernel Vulnerability Resolved: net: hso: fix NULL-deref on disconnect regression

A critical vulnerability (CVE-2021-46905) in the Linux kernel has been resolved, targeting the net: hso (High-Speed Option) subsystem. This subsystem is responsible for managing tethered connections to modems or similar devices in the Linux kernel. The vulnerability could allow unauthorized access to critical kernel data structures or even crash the host system.

Background

The flaw was initially addressed in the commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration"). However, the fix resolved the racy minor allocation issue reported by syzbot, but consequently, introduced an unconditional NULL-pointer dereference on every disconnect. This meant that the serial device table could no longer be accessed after the minor has been released by hso_serial_tty_unregister().

Exploit Details

The vulnerability could potentially lead to unauthorized access to critical kernel data structures, allowing an attacker to perform various nefarious actions, including crashing the system or gaining control, by exploiting the NULL-pointer dereference issue.

The following code snippet demonstrates the change made to fix the vulnerability in the Linux kernel

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 1b9875d740a6..c61997b10890 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2735,9 +2735,11 @@ static void hso_serial_common_free(struct hso_serial *serial)
 {
        if (!serial)
                return;
-       hso_put_activity(serial);
        hso_serial_tty_unregister(serial);
+       hso_put_activity(serial);
        hso_serial_common_free(serial);
 }

The referenced commit moves the call to hso_put_activity(serial) after hso_serial_tty_unregister(serial).

Here are the original reference links for the mentioned vulnerability and the patch to address it

1. Patch commit: ef782789332a ("hso: fix NULL-deref on disconnect regression")
2. Initial commit: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration")

Conclusion

The CVE-2021-46905 vulnerability in the Linux kernel has been resolved, and it is recommended for users to patch their systems as soon as possible to avoid possible attacks exploiting this vulnerability. By updating the code to handle the serial device table correctly (by moving the call to hso_put_activity(serial) after hso_serial_tty_unregister(serial)), the Linux kernel developers have managed to fix the NULL-pointer dereference issue, providing a more secure environment for users operating Linux devices with tethered connections.

Timeline

Published on: 02/26/2024 16:27:45 UTC
Last modified on: 04/17/2024 19:30:05 UTC