CVE-2021-46919 - Linux Kernel DMA Engine Vulnerability: Fixing Work Queue Size Store Permission State

The Linux kernel, which forms the core foundation of many distributions such as Ubuntu, Fedora, and many more, is very critical to the security aspect of the operating systems. Recently, a new vulnerability was discovered in the Linux kernel, specifically in its Direct Memory Access (DMA) engine subsystem. This vulnerability, assigned the identifier CVE-2021-46919, could potentially allow attackers to exploit and compromise systems running on affected versions of the Linux kernel.

Vulnerability Details

The vulnerability lies in the DMA engine subsystem's Indexed Driver (idxd) component, which is responsible for managing Work Queues (WQ) and handling data transfer operations between I/O devices and system memory. The issue resides in the way the kernel handles the size store permission state of the WQs.

The WQ size should only be changeable when the device is in a disabled state. However, the current code implementation allows the size to be changed even when the device is enabled, as long as the WQ itself is disabled. This could lead to unintended consequences, as it theoretically allows attackers to tamper with and change the size of the WQ, potentially leading to memory corruption and system instability.

Fixing the Issue

To address this vulnerability, the developers responsible for maintaining the Linux kernel have introduced an update to the idxd driver code. The patch modifies the existing check on the WQ size store permission state to ensure that the device must be disabled before the size of the WQ can be changed. Here's a code snippet of the updated function:

ssize_t idxd_wq_size_store(struct device *dev, struct device_attribute *attr,
                           const char *buf, size_t count)
{
  struct idxd_wq *wq = confdev_to_wq(to_config_dev(dev));
  int rc;
  int size;

  dev_dbg(&wq->conf_dev, "size_store: %s\n", buf);

+  if (confdev_to_idxd(&wq->conf_dev)->state != COMP_IDXD_DISABLED) {
+      dev_warn(dev, "Device not disabled\n");
+      return -EBUSY;
+  }
+
  rc = kstrtoint(buf, 10, &size);
  if (rc < )
      return rc;

  if (size > wq->max_size) {
      dev_warn(dev, "Invalid WQ size: %d\n", size);
      return -EINVAL;
  }

  wq->size = size;
  return count;
}

The added code checks the state of the parent device associated with the WQ and ensures that it is in the COMP_IDXD_DISABLED state before allowing any changes to the WQ size. This effectively ensures that the WQ size can only be modified when the device is disabled, thus resolving the vulnerability.

Original References

You can find more information on this vulnerability and the corresponding patch from the following sources:

1. Linux Kernel Mailing List (LKML) Patch: LKML Patch
2. CVE-2021-46919 in the National Vulnerability Database (NVD): NVD CVE-2021-46919

Conclusion

It is crucial to keep your systems up-to-date with the latest security patches and updates in order to safeguard against known vulnerabilities. If you are running a Linux kernel version that is affected by CVE-2021-46919, it is highly recommended to apply the patch as soon as possible to protect your system against potential attackers who may attempt to exploit this vulnerability. Stay vigilant, and always prioritize the security of your systems.

Timeline

Published on: 02/27/2024 07:15:08 UTC
Last modified on: 04/10/2024 14:46:43 UTC