CVE-2021-46967: Linux Kernel Vulnerability Resolved in vhost-vdpa - Fixing vm_flags for Virtqueue Doorbell Mapping

A crucial vulnerability has been discovered and resolved (CVE-2021-46967) in the Linux kernel. Specifically, the vulnerability resides in the vhost-vdpa component and is related to improper handling of vm_flags for virtqueue doorbell mapping. This vulnerability could potentially lead to unintended consequences, such as a kernel panic when userspace tries to map the doorbell via vhost IOTLB. This article provides an overview of the vulnerability, with code snippets, links to original references, and exploit details. The goal is to inform the reader about this issue and discuss the solution implemented to fix it.

Details

The virtqueue doorbell is typically implemented via registers, but the necessary vma->flags, such as VM_PFNMAP, are not provided. This may cause several issues, such as when userspace tries to map the doorbell via vhost IOTLB, the kernel might panic due to the page not being backed by a page structure. The patch for this vulnerability addresses the problem by setting the necessary vm_flags, preventing the mapping attempt via IOTLB from failing with a bad address.

Here's a code snippet from the original patch demonstrating the fix applied to the vhost-vdpa component:

diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
index ed4e8af0219c..420bd35e703 100644
--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -244,7 +244,7 @@ static int vhost_vdpa_mmap(struct file *filep, struct vm_area_struct *vma)
 			return ret;

 		vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND |
-					VM_DONTDUMP;
+				 VM_DONTDUMP | VM_IO;
 		vma->vm_page_prot = vhost_vdpa_pgprot(vma, pgprot);
 		vma->vm_private_data = v;
 		vma->vm_ops = &vhost_vdpa_vm_ops;

This patch sets the appropriate vm_flags for the virtqueue doorbell mapping within the vhost_vdpa.c file. With this change, the VM_PFNMAP flag is appropriately added, along with the necessary flags for VM_DONTEXPAND, VM_DONTDUMP, and VM_IO.

Reference

You can refer to the original commit message and the Linux kernel mailing list for more information about this vulnerability and the provided fix:

- Commit message: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a22117c417eb8358669f387a773f71368294fa1e
- Linux Kernel Mailing List (LKML) post: https://lkml.org/lkml/2021/8/30/95

Exploit Details

While there are no known exploits at the time of writing this article, it's crucial for Linux kernel developers and system administrators to be aware of this vulnerability, as it could have serious implications. Should an attacker manage to exploit this vulnerability by inducing a kernel panic, it could cause system instability or even lead to more significant security issues.

Conclusion

The Linux kernel vulnerability CVE-2021-46967, which affects the vhost-vdpa component, has been successfully resolved with a patch that sets the necessary vm_flags for virtqueue doorbell mapping. This patch mitigates the risk of kernel panic and other potential problems related to improper handling of vm_flags. Users and developers are strongly encouraged to update their systems and apply the patch as soon as possible to ensure the security and stability of their Linux kernel installations.

Timeline

Published on: 02/27/2024 19:04:07 UTC
Last modified on: 02/28/2024 14:06:45 UTC