CVE-2021-46936 - Linux Kernel Vulnerability Resolved: net: fix use-after-free in tw_timer_handler

A security vulnerability found in the Linux kernel, specifically in the "net" subsystem, has been recently resolved. The vulnerability could have caused use-after-free issues in the tw_timer_handler function, leading to system crashes or possible exploitation in certain scenarios. This issue has been designated CVE-2021-46936.

Original References

The vulnerability was first reported by syzkaller back in 2017, in a Google Groups thread [1]. At that time, the issue was not resolved, but it has now been fixed in the latest Linux kernel patches. To better understand the vulnerability and its implications, let's take a deep dive into the code snippets and exploit details.

The bug was reported with the following real-world panic issue found in Linux 5.4

BUG: unable to handle page fault for address: ffffde49a863de28
PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 
RIP: 001:tw_timer_handler+x20/x40
Call Trace:
 <IRQ>
 call_timer_fn+x2b/x120
 run_timer_softirq+x1ef/x450
 __do_softirq+x10d/x2b8
 irq_exit+xc7/xd
 smp_apic_timer_interrupt+x68/x120
 apic_timer_interrupt+xf/x20

This code snippet shows the panic error message generated by the kernel when the bug was triggered. The issue still occurred even after fixing the Datagram Congestion Control Protocol (DCCP) vulnerability.

Exploit Details

The vulnerability appeared due to the wrong order of initialization when a net namespace was destroyed. Specifically, the ipv4_mib_exit_net function was called before tcp_sk_exit_batch. This caused a use-after-free on net->mib.net_statistics in the tw_timer_handler function once ipv4_mib_exit_net was executed.

This bug was not introduced by commit f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH"), where net_statistics was a global variable. Instead, it was caused by commit 61a7e26028b9 ("mib: put net statistics on struct net"), which dynamically allocated and freed the net statistics on struct net.

Resolution

The solution to this issue was to move the init_ipv4_mibs() function before the tcp_init() function. Also, the pr_crit() function has been replaced with panic(), as continuing the execution would be meaningless if init_ipv4_mibs() failed.

Conclusion

CVE-2021-46936 is a use-after-free vulnerability in the Linux kernel's "net" subsystem, which could potentially lead to system crashes or possible exploitation. The issue has now been resolved, and users should update their Linux kernel to the latest patched version to mitigate any possible risks.

Reference

[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1

Timeline

Published on: 02/27/2024 10:15:08 UTC
Last modified on: 04/10/2024 19:20:08 UTC