CVE-2021-46928: Addressing Linux Kernel Vulnerability - parisc Trap 7 Instruction Access Rights

A recent vulnerability was discovered and patched in the Linux kernel, specifically for the parisc architecture. The vulnerability revolved around instruction access rights traps, also known as Trap 7. This post will provide an in-depth look at the vulnerability, the applied patch, code snippets, and links to the original references. The exploit details will also be discussed, highlighting the potential consequences of leaving the vulnerability unpatched.

Vulnerability

The vulnerability in the Linux kernel occurred when a Trap 7 (Instruction access rights) was triggered. This means that the CPU couldn't execute an instruction due to missing execute permissions on the memory region. In this case, the CPU didn't even fetch the instruction from memory and did not store it in the cr19 (IIR) register before calling the trap handler. As a result, the trap handler would find some random old stale value in cr19. This could lead to unpredictable system behavior, crashes, or potential security issues.

The Patch

The solution to this vulnerability involves clearing the stale IIR value when an instruction access rights trap occurs. The applied patch overwrites the stale IIR value with a constant magic "bad food" value (xbaadf00d), as shown below:

diff --git a/arch/parisc/kernel/traps.c
index 9ee5127..d4ddbfe 100644
--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
@@ -308,6 +308,7 @@ void do_intr(struct pt_regs *regs, int inkernel)
        else if (iir == -1)
                printk("\n");
        else
+               regs->iir = xbaadf00d; /* overwrite stale value */
                printk("%.8x\n", iir);
 }

Original References

The Linux kernel mailing list discussion about the vulnerability, along with additional information about the patch applied, can be found at the following link:

https://lore.kernel.org/lkml/20210707063527.2739-1-mato@parisc-linux.org/T/#u

Exploit Details

The exploit related to this vulnerability would involve some attacker crafting code that could cause a Trap 7 to occur intentionally. The attacker may then make use of the random old stale value found in the cr19 register to mislead the debugger or possibly gain unauthorized access to sensitive data or resources in the system. The likelihood of a successful exploit is not high, but it is still a risk that should be taken seriously.

Conclusion

The vulnerability CVE-2021-46928, which involved parisc architecture's Trap 7 in the Linux kernel, was a subtle issue that could potentially cause problematic or unpredictable system behavior. The patch applied by the Linux kernel development team effectively mitigates this risk by clearing the stale IIR value when an instruction access rights trap occurs. System administrators should ensure they apply the latest patches to their systems to ensure the vulnerability is addressed.

Timeline

Published on: 02/27/2024 10:15:07 UTC
Last modified on: 04/10/2024 16:29:19 UTC