CVE-2021-46933: Resolving Linux kernel vulnerability in USB gadget

In the Linux kernel, a vulnerability has been detected and resolved that is related to the "usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear." This vulnerability is referenced as CVE-2021-46933.

It has been identified that the ffs_data_clear function is indirectly called from both the ffs_fs_kill_sb and ffs_ep_release. This scenario occurs when the userland closes ep and then unmounts f_fs. If userland provides an eventfd with the function's USB descriptors, the result is multiple eventfd_ctx_put calls, potentially causing a refcount underflow.

To address this issue, ffs_eventfd is set to NULL, preventing these additional and unnecessary eventfd_ctx_put calls. Moreover, the epfiles are set to NULL immediately after deallocating them for improved readability.

Details on the Vulnerability

This vulnerability lies in the Linux kernel and specifically affects the USB gadget functionality. When the specific sequence of events occurs, it may cause a use-after-free scenario and performance issues due to extraneous eventfd_ctx_put calls.

The Linux kernel source code with the issue can be found in the official repository. The code snippet below demonstrates the problem and the implemented fix:

static void ffs_data_clear(struct ffs_data *ffs) {
	struct ffs_epfile **epfiles;
	unsigned count;

	if (unlikely(WARN_ON(!ffs)))
		return;

	pr_debug("%p\n", ffs);

	eventfd_ctx_put(ffs->ev_ffs_eventfd);
	epfiles = ffs->epfiles;
	count = ffs->eps_count;
	while (count--) {
		kfree(*epfiles);
		epfiles++;
	}

	kfree(ffs->epfiles_name);
	kfree(ffs->raw_descs_data);
	kfree(ffs->raw_strings);

	/* Set ffs_eventfd to NULL to prevent unnecessary eventfd_ctx_put calls */
	ffs->ev_ffs_eventfd = NULL;
	/* Set epfiles to NULL after deallocating it */
	ffs->epfiles = NULL;
}

This fix eliminates the risk of a refcount underflow and ensures proper resource management within the Linux kernel.

Exploit Details

The exploit for this vulnerability would require a malicious userland process to trigger the refcount underflow by improperly closing the ep and unmounting the f_fs. This may potentially lead to use-after-free situations and performance degradation.

However, with the implementation of the fix in the Linux kernel, such exploits will no longer be successful.

Original references

1. Linux Kernel Mailing List (LKML) - Patch Submission – This link discusses the submission of the patch to resolve CVE-2021-46933.
2. CVE-2021-46933 - Official CVE Page – This link provides details on the official CVE page for CVE-2021-46933.

Conclusion

CVE-2021-46933 is a vulnerability in the Linux kernel that is now resolved by implementing proper resource management. It is essential for users and administrators to regularly update their Linux kernel versions to ensure that their systems stay protected from potential exploits. This specific fix is available in the Linux kernel, so applying the latest updates and patches is recommended to ensure the security of your system.

Timeline

Published on: 02/27/2024 10:15:07 UTC
Last modified on: 04/10/2024 18:36:47 UTC