CVE-2021-46969: Resolving the Linux kernel vulnerability in mhi_queue for MHI Bus

A recent CVE (Common Vulnerabilities and Exposures) has been identified in the Linux kernel, specifically addressing an issue within the MHI (Modem Host Interface) bus. This vulnerability has been designated as CVE-2021-46969 and affects the 'bus: mhi: core' module in the Linux kernel. The issue lies within the mhi_queue function, which returns an invalid error when the doorbell is not accessible in the current state. This article will explain the details of the vulnerability, provide a code snippet for better understanding, and finally discuss the exploit details of this issue.

Vulnerability Details

In the Linux kernel's mhi_queue function, the kernel returns an error when it cannot access the doorbell in the current state. This is problematic because doorbell accessibility plays a crucial role in the proper functioning of the MHI bus. This error can occur when the device is in a non-M state, such as M3, and needs to be woken up to ring the doorbell.

However, this is not truly an error but just a delay in the doorbell update, and there is no need to return an error. Furthermore, this invalid error returning leads to a use-after-free error for the 'skb' case, causing additional problems for the caller.

You can find more information about this vulnerability in the Linux kernel by visiting the original reference: Kernel Patch

Code Snippet

Here is a related code snippet that demonstrates how the invalid error was returned in the mhi_queue function and how it has been fixed:

/* Original code */
...
int mhi_queue_skb(struct mhi_device *mhi_dev, enum dma_data_direction dir,
		 int index, struct sk_buff *skb, bool sync)
{
	unsigned long flags;
	u32 nr_slots;
	int ret;

	spin_lock_irqsave(&mhi_dev->output_lock[dir], flags);
	if (unlikely(mhi_dev->dl_trigger)) {
		ret = mhi_ring_db(mhi_dev, dir, index);
		if (ret) {
			spin_unlock_irqrestore(&mhi_dev->output_lock[dir], flags);
			return ret;
		}
	}
...

/* Fixed code */
...
int mhi_queue_skb(struct mhi_device *mhi_dev, enum dma_data_direction dir,
		 int index, struct sk_buff *skb, bool sync)
{
	unsigned long flags;
	u32 nr_slots;

	spin_lock_irqsave(&mhi_dev->output_lock[dir], flags);
	if (unlikely(mhi_dev->dl_trigger))
		mhi_ring_db(mhi_dev, dir, index);

...

Exploit Details

The improper handling of the doorbell update and returning an invalid error in mhi_queue can potentially lead to various exploits in the real world. Attackers could take advantage of this vulnerability to cause a denial of service, system crashes, or other unpredictable behavior on the Linux kernel.

The implications of this vulnerability can be serious, and it is crucial that organizations and developers relying on the Linux kernel update their systems and implement the appropriate patch to protect their infrastructure.

In conclusion, the vulnerability CVE-2021-46969 in the Linux kernel has been resolved in the 'bus: mhi: core' module. The fix addresses the issue in the mhi_queue function, taking care not to return an invalid error for doorbell accessibility in non-M states. Updating the Linux kernel with the patch available at the original reference is recommended to ensure the optimal functioning of the MHI bus and prevent potential exploitation.

Timeline

Published on: 02/27/2024 19:04:07 UTC
Last modified on: 02/28/2024 14:06:45 UTC