CVE-2021-46965 - Linux Kernel MTD physmap Stack Access Vulnerability Resolved

A recently discovered vulnerability in the Linux kernel, situated in the Memory Technology Device (MTD) physmap module, could allow a bad actor to perform an out-of-bounds read operation, leading to potential data leakage. Identified as CVE-2021-46965 and officially titled "mtd: physmap: physmap-bt1-rom: Fix unintentional stack access," this vulnerability has since been resolved, ensuring that the data stored in the Linux kernel is not unintentionally accessed.

Vulnerability Details

The CVE-2021-46965 vulnerability is due to a coding error in the physmap-bt1-rom functionality within the Linux kernel's MTD module. Physmap is responsible for managing the interface between the kernel and physical memory devices like ROM, NOR Flash, and NAND Flash, among others. In this vulnerability, the data variable is of type 'unsigned 32-bit integer' (u32), which means that any increment to the data variable address (&data) will be in the order of 4-byte chunks. However, this specific code snippet is intended to operate with a byte offset.

This incorrect transformation could result in an unintentional stack access, causing an out-of-bounds read operation that potentially leads to data leakage or a crash. Coverity, a static application security testing (SAST) tool, was able to detect this vulnerability and assign it the ID 1497765 ("Out-of-bounds access").

Resolution

To address this vulnerability, developers need to cast the data variable address to (char *) to ensure that the code snippet works with byte offsets as intended, rather than 4-byte chunks. The following code snippet represents the fixed version:

char *ptr;
u32 data;

/* ... */
ptr = (char *)&data;
/* ... */

By casting &data to (char *), the out-of-bounds read operation is prevented, and the code snippet now operates as intended.

Original References

For more information on the CVE-2021-46965 vulnerability and its fix, please review the following resources:

1. Linux kernel commit message: mtd: physmap: physmap-bt1-rom: Fix unintentional stack access
2. Coverity scan: Addresses-Coverity-ID: 1497765 ("Out-of-bounds access")

Exploit Details

An exploit has not been developed for this vulnerability, as it has been resolved in the Linux kernel before public disclosure. Ensuring you're using an up-to-date version of the kernel will provide protection against the CVE-2021-46965 vulnerability. The discovery and patching of this vulnerability demonstrate the importance of proactive security measures, such as static analysis tools like Coverity, employed in the development process to protect systems and software.

Timeline

Published on: 02/27/2024 19:04:07 UTC
Last modified on: 02/28/2024 14:06:45 UTC