CVE-2021-46948 - SFC Farch Fix TX Queue Lookup in the Linux Kernel

Summary: Security researchers have found and fixed issues related to the handling of TX events in the Linux kernel. This post will explain the problem, the fix, and provide code examples to help understand the issue and the resolution.

Context: Common Vulnerability and Exposures (CVE) is a publicly available list of identified vulnerabilities. A recent vulnerability was identified (CVE-2021-46948) in the Linux kernel regarding the handling of transmit (TX) events. This vulnerability pertains to the Solarflare 10G Ethernet controller (specifically, the Solarflare SFC900-series 10GbE NIC) when using the sfc driver.

Affected code: The issue arises from an incorrect use of the efx_channel_get_tx_queue() function in the function efx_farch_handle_tx_event(). The issue occurs when trying to get the TX queue by starting with a TXQ label, instead of a TXQ type, leading to panics as the efx_channel_get_tx_queue() function can return NULL in such a situation.

Original references: The fixes for this vulnerability can be found at their respective links

1. Linux kernel Git Commit
2. Linux sfc Driver Git Commit

Exploit details: Exploiting this vulnerability can lead to panics in the affected system, potentially causing denial of service attacks on the affected machines. It can be triggered under certain conditions when the malicious party attempts to transmit a large amount of network traffic, resulting in panics.

Code snippet

Before the fix, the function efx_farch_handle_tx_event() within the sfc driver looks something like this:

void efx_farch_handle_tx_event(struct efx_channel *channel,
                               const efx_qword_t *event)
{
    struct efx_farch_txq *tx_queue;
    struct efx_tx_queue *real_tx_queue;

    tx_queue = efx_farch_channel_tx_queue(channel,
                   EFX_QWORD_FIELD(*event, FSF_AZ_SHORT_DATA));
    real_tx_queue = efx_channel_get_tx_queue(channel, tx_queue->label);
    ...
}

The issue is that we are using efx_channel_get_tx_queue() to find the real_tx_queue by providing the tx_queue->label as an argument. However, this may cause a NULL pointer to be dereferenced when efx_channel_get_tx_queue() returns NULL.

The correct fix is to remove efx_channel_get_tx_queue() and directly use the tx_queue instead.

After the fix, the code looks like this

void efx_farch_handle_tx_event(struct efx_channel *channel,
                               const efx_qword_t *event)
{
    struct efx_farch_txq *tx_queue;

    tx_queue = efx_farch_channel_tx_queue(channel,
                   EFX_QWORD_FIELD(*event, FSF_AZ_SHORT_DATA));
    ...
}

By following the above changes, Linux kernel developers have resolved the CVE-2021-46948 vulnerability. Please make sure to update your systems to the latest Linux kernel to avoid any potential problems stemming from this vulnerability.

Conclusion: Vulnerabilities like CVE-2021-46948 emphasize the importance of proper code review, testing, and reporting mechanisms to ensure security and stability. Collaboration between security researchers, developers, and users can help keep systems secure and up-to-date.

Timeline

Published on: 02/27/2024 19:04:06 UTC
Last modified on: 04/10/2024 20:14:23 UTC