CVE-2021-46947 - Linux Kernel Vulnerability in sfc: Adjusting efx->xdp_tx_queue_count for Initialized Queues

In the Linux kernel, a vulnerability (CVE-2021-46947) has been resolved that affects the efx->xdp_tx_queue_count variable in the Solarflare Communications (sfc) driver. This vulnerability may result in a NULL pointer dereference, causing a crash when running the command ethtool -S <iface>. In this post, we will discuss the details of the vulnerability, provide code snippets, and link to the original references.

The efx->xdp_tx_queue_count is initially initialized to the number of possible CPUs (num_possible_cpus()) and is used to allocate and traverse the efx->xdp_tx_queues lookup array. However, during probing, not all the array slots may end up being initialized with real queues. This can result in a NULL pointer dereference, as observed in the following kernel log:

[2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8
...
[2570283.781408][T4126959] RIP: 001:efx_ethtool_get_stats+x2ca/x330 [sfc]
[2570283.796073][T4126959] Code: 00 85 c 74 39 48 8b 95 a8 f 00 00 48 85 d2 74 2d 31 c eb 07 48 8b 95 a8 f 00 00 48 63 c8 49 83 c4 08 83 c 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a f 00 00 77 d7 48 8b

To fix this, adjust the efx->xdp_tx_queue_count after probing to reflect the true value of the initialized slots in the efx->xdp_tx_queues.

The official patch for this vulnerability can be found in the Linux kernel commit e5f67792524ebt5au6udu5h399a37241e06b3a29, which addresses the issue by setting the correct value for efx->xdp_tx_queue_count after the probing process. Here's a snippet of the code change:

int efx_probe(struct efx_nic *efx)
{
...
  err = efx_probe_main(efx);
  if (err)
    goto fail1;
  netif_dbg(efx, probe, efx->net_dev, "successfully initialized\n");
  efx->xdp_tx_queue_count = efx->n_xdp_channels; /* Adjust the count with the real number of initialized queues */
  return ;

 fail1:
  efx_remove(efx);
  return err;
}

Original references

- Linux kernel source code commit
- National Vulnerability Database - CVE-2021-46947

In conclusion, the CVE-2021-46947 vulnerability has been resolved in the Linux kernel by properly adjusting the efx->xdp_tx_queue_count value to reflect the real number of initialized queues, thus preventing a NULL pointer dereference and potential crashes when using ethtool. Upgrade to the latest Linux kernel version to ensure that this vulnerability is patched on your system.

Timeline

Published on: 02/27/2024 19:04:06 UTC
Last modified on: 04/10/2024 20:00:47 UTC