CVE-2021-46937: Linux Kernel Vulnerability Resolved in mm/damon/dbgfs - Fix for 'struct pid' leaks

A new vulnerability, CVE-2021-46937, has been recently discovered and resolved in the Linux kernel. The vulnerability exists in the mm/damon/dbgfs subsystem and can cause memory leaks due to incorrect management of reference counts for 'struct pid' in the 'dbgfs_target_ids_write()' function. This post will provide an overview of the vulnerability, including the code snippets and links to original references, along with the details of the exploit and the resolution.

Vulnerability Details

In the Linux kernel, the DAMON debugfs interface is responsible for managing the reference counts of 'struct pid's for targets derived from the 'target_ids' file write callback ('dbgfs_target_ids_write()') [[1]](https://lwn.net/Articles/572492/). The reference counts are only decreased when the DAMON monitoring is terminated through the 'dbgfs_before_terminate()' callback.

This leads to a problem when the 'target_ids' file is repeatedly written without starting and terminating DAMON monitoring. The reference count is not decreased, preventing the memory allocated for the 'struct pid' from being freed. This memory leak vulnerability has been assigned the CVE identifier CVE-2021-46937 [[2]](https://nvd.nist.gov/vuln/detail/CVE-2021-46937).

Exploit

To exploit this vulnerability, an attacker would need to have access to the 'target_ids' file and repeatedly write to it without starting or terminating the DAMON monitoring process. This would lead to an increase in the reference counts of 'struct pid's, causing the memory leaks and eventually leading to a possible denial of service (DoS) attack.

Resolution

The Linux kernel developers have resolved this vulnerability by ensuring that the reference counts of 'struct pid's are properly decreased when the 'target_ids' file is written. The following code snippet demonstrates the implemented change:

Original Code

static ssize_t dbgfs_target_ids_write(struct file *file,
				      const char __user *buf, size_t count,
				      loff_t *ppos)
{
	...
	struct damon_ctx *ctx = ...(struct damon_ctx, dbgfs_file);
	...
	struct pid *pid;
	...

	for_each_target_pid(ctx, p)
		damon_put_pid(p->pid);
	...
}

Fixed Code

static ssize_t dbgfs_target_ids_write(struct file *file,
				      const char __user *buf, size_t count,
				      loff_t *ppos)
{
	...
	struct damon_ctx *ctx = ...(struct damon_ctx, dbgfs_file);
	...
	struct pid *pid;
	...

	for_each_target_pid(ctx, p) {
		if (p->pid) {
			damon_put_pid(p->pid);
			p->pid = NULL;
		}
	}
	...
}

In the fixed code, if the 'struct pid' entry exists (i.e., it has a non-NULL value), the reference count is decreased by calling 'damon_put_pid()' and subsequently setting the 'pid' field to NULL.

With this fix in place, the 'struct pid' leaks are effectively resolved, and the Linux kernel is now protected against the CVE-2021-46937 vulnerability.

Conclusion

The recent Linux kernel vulnerability CVE-2021-46937 has been addressed by properly managing the reference counts of 'struct pid's within the 'dbgfs_target_ids_write()' function. This fix prevents memory leaks and potential denial of service attacks that could have been exploited by writing to the 'target_ids' file without proper DAMON monitoring control.

References

[1] https://lwn.net/Articles/572492/
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-46937

Timeline

Published on: 02/27/2024 10:15:08 UTC
Last modified on: 04/10/2024 18:59:16 UTC