In the Linux kernel, a vulnerability (CVE-2021-46947) has been resolved that affects the efx->xdp_tx_queue_count variable in the Solarflare Communications (sfc) driver. This vulnerability may result in a NULL pointer dereference, causing a crash when running the command ethtool -S <iface>. In this post, we will discuss the details of the vulnerability, provide code snippets, and link to the original references.
The efx->xdp_tx_queue_count is initially initialized to the number of possible CPUs (num_possible_cpus()) and is used to allocate and traverse the efx->xdp_tx_queues lookup array. However, during probing, not all the array slots may end up being initialized with real queues. This can result in a NULL pointer dereference, as observed in the following kernel log:
[2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8
...
[2570283.781408][T4126959] RIP: 001:efx_ethtool_get_stats+x2ca/x330 [sfc]
[2570283.796073][T4126959] Code: 00 85 c 74 39 48 8b 95 a8 f 00 00 48 85 d2 74 2d 31 c eb 07 48 8b 95 a8 f 00 00 48 63 c8 49 83 c4 08 83 c 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a f 00 00 77 d7 48 8b
To fix this, adjust the efx->xdp_tx_queue_count after probing to reflect the true value of the initialized slots in the efx->xdp_tx_queues.
The official patch for this vulnerability can be found in the Linux kernel commit e5f67792524ebt5au6udu5h399a37241e06b3a29, which addresses the issue by setting the correct value for efx->xdp_tx_queue_count after the probing process. Here's a snippet of the code change:
int efx_probe(struct efx_nic *efx)
{
...
err = efx_probe_main(efx);
if (err)
goto fail1;
netif_dbg(efx, probe, efx->net_dev, "successfully initialized\n");
efx->xdp_tx_queue_count = efx->n_xdp_channels; /* Adjust the count with the real number of initialized queues */
return ;
fail1:
efx_remove(efx);
return err;
}
Original references
- Linux kernel source code commit
- National Vulnerability Database - CVE-2021-46947
In conclusion, the CVE-2021-46947 vulnerability has been resolved in the Linux kernel by properly adjusting the efx->xdp_tx_queue_count value to reflect the real number of initialized queues, thus preventing a NULL pointer dereference and potential crashes when using ethtool. Upgrade to the latest Linux kernel version to ensure that this vulnerability is patched on your system.
Timeline
Published on: 02/27/2024 19:04:06 UTC
Last modified on: 04/10/2024 20:00:47 UTC