CVE-2021-46959: Resolving Use-After-Free Vulnerability in Linux Kernel (spi)

A newly resolved vulnerability in the Linux kernel, specifically in the spi (Serial Peripheral Interface) subsystem, aims to address a use-after-free issue that has been causing problems for devices registered with devm_spi_alloc_{master,slave}(). This vulnerability has been assigned the CVE (Common Vulnerabilities and Exposures) identifier CVE-2021-46959.

In the Linux kernel, the spi subsystem's devm_spi_alloc_* functions can lead to problematic behavior when the devres (device resource) list is accessed during the spi_unregister_controller() function call. By the time devres_find() is called for devm_spi_release_controller, the devres list has already been torn down, which causes devices registered with devm_spi_alloc_{master,slave}() to be mistakenly identified as legacy, non-devm managed devices. This can lead to their reference counters being decremented below , causing crashes and other instability issues.

Here's a code snippet from the Linux kernel that demonstrates the warning this use-after-free issue can cause during runtime:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+x108/x174
[<b0396f04>] (refcount_warn_saturate) from [<b03c56a4>] (kobject_put+x90/x98)
[<b03c5614>] (kobject_put) from [<b0447b4c>] (put_device+x20/x24)
 r4:b670014
[<b0447b2c>] (put_device) from [<b07515e8>] (devm_spi_release_controller+x3c/x40)
[<b07515ac>] (devm_spi_release_controller) from [<b045343c>] (release_nodes+x84/xc4)
 r5:b670018 r4:b670010
[<b04533b8>] (release_nodes) from [<b045416>] (devres_release_all+x5c/x60)
 r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10
[<b0454104>] (devres_release_all) from [<b044e41c>] (__device_release_driver+x144/x1ec)
 r5:b117ad94 r4:b163dc10
[<b044e2d8>] (__device_release_driver) from [<b044f70c>] (device_driver_detach+x84/xa)
 r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10
[<b044f688>] (device_driver_detach) from [<b044d274>] (unbind_store+xe4/xf8)

The solution introduced to resolve this use-after-free vulnerability involves setting a flag on the controller that represents the devm allocation state, which is guaranteed to be stable during the cleanup process. This change ensures that devices registered with devm_spi_alloc_{master,slave}() are properly identified and released, avoiding crashes and other issues.

For more details on this vulnerability and its resolution, refer to the following original references:

- Linux kernel source containing the vulnerability
- Linux kernel mailing list discussing the issue
- CVE-2021-46959 entry in the MITRE CVE database

As always, users of the affected Linux kernel components should apply the relevant patches or update to the latest kernel version to eliminate the risks associated with this vulnerability.

Timeline

Published on: 02/29/2024 23:15:07 UTC
Last modified on: 03/01/2024 14:04:26 UTC