CVE-2021-46931: Fixed Linux Kernel Vulnerability in net/mlx5e - Details and Exploits

In the Linux kernel, a specific vulnerability has been fixed, which is related to the net/mlx5e module. This post aims to provide an overview of the issue, code snippets showing the problem and the fix, and links to the original references for further information.

Overview of the Vulnerability

The vulnerability is in the net/mlx5e module of the Linux kernel. It specifically affects the mlx5e_tx_reporter_dump_sq() function. The function casts its void * argument to struct mlx5e_txqsq *, but in the TX-timeout-recovery flow, the argument is actually of type struct mlx5e_tx_timeout_ctx *.

This bug causes a stack overflow which results in a kernel panic, as visible in the trace log below

mlx5_core 000:08:00.1 enp8sf1: TX timeout detected
mlx5_core 000:08:00.1 enp8sf1: ...
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
end Kernel panic - not syncing: Fatal exception

The Fix

To fix this bug, a wrapper for the mlx5e_tx_reporter_dump_sq() function needs to be added. The wrapper should extract the sq from struct mlx5e_tx_timeout_ctx and set it as the TX-timeout-recovery flow dump callback.

Here's a code snippet showing the change that resolves the issue

/* Old code */
void mlx5e_tx_reporter_dump_sq(void *ctx)
{
    struct mlx5e_txqsq *sq = ctx;
    ...
}

/* New code */
void mlx5e_tx_reporter_dump_sq_wrapper(void *ctx)
{
    struct mlx5e_tx_timeout_ctx *timeout_ctx = ctx;
    struct mlx5e_txqsq *sq = timeout_ctx->sq;
    mlx5e_tx_reporter_dump_sq(sq);
}

With this change in place, the vulnerability is resolved and the Linux kernel operates without encountering a kernel panic due to this issue.

Original References

For more information on this vulnerability and the related fix, you can refer to the following resources:

- Linux kernel source changes: Click Here
- Linux kernel mailing list post: Click Here

Exploit Details

To exploit this vulnerability, an attacker would need to trigger the TX-timeout-recovery flow of the affected Linux kernel while running a custom application that intentionally triggers the bug. Successful exploitation would lead to a kernel panic and potentially a crash of the system.

However, with the fix in place as described above, the vulnerability is no longer present, and systems running a patched version of the Linux kernel are not affected.

In conclusion, CVE-2021-46931 is a Linux kernel vulnerability with a well-defined fix. It is highly recommended to apply the patch to affected systems and stay up-to-date with the latest kernel versions to ensure security and stability.

Timeline

Published on: 02/27/2024 10:15:07 UTC
Last modified on: 04/10/2024 16:31:14 UTC