Introduction: The Linux kernel, a critical component of various systems and devices, was found to have a significant vulnerability CVE-2021-46979 involving the improper handling of ioctl handlers removal which could lead to kernel panic. This post explains the issue in detail, provides code snippets that address the vulnerability, linking to official references, and detailing the exploit.

CVE-2021-46979: Vulnerability Explained

In the Linux kernel, a vulnerability has been discovered involving Industrial I/O (IIO) devices which are widely used in industrial applications, for example sensors, actuators, and data acquisition systems. Specifically, the problem occurs with the improper removal of ioctl handlers in the IIO core subsystem, causing a double-free, leading to a kernel panic.

The Linux kernel developers have identified the issue and released an immediate fix for this CVE, dubbed as "iio: core: fix ioctl handlers removal" to resolve this vulnerability.

The following code snippet demonstrates the fix applied to address the vulnerability

// iio_device_unregister() function
void iio_device_unregister(struct iio_dev *indio_dev)

    // The proposed fix is to remove the following code from the function:
    if (indio_dev->info->read_event_config ||
        indio_dev->info->write_event_config)
            iio_device_unregister_eventset(indio_dev);
    if (indio_dev->buffer)
           iio_buffers_free_sysfs_and_mask(indio_dev);
    }

    ...

Now, let's take a look at the updated code in the registration functions (iio_device_register_*).

// iio_device_register_eventset function
int iio_device_register_eventset(struct iio_dev *indio_dev)
{
    ...
    // Upon successful registration, call the cleanup ioctl handlers function
    iio_device_unregister_eventset(indio_dev);

    ...

error_free_ev_masks:
    iio_sw_buffer_ev_cleanup(indio_dev);
error_ret:
    return ret;
}

// iio_device_register_buffer function
int iio_device_register_buffer(struct iio_dev *indio_dev)
{
    ...
    // Upon successful registration, call the cleanup ioctl handlers function
    iio_buffers_free_sysfs_and_mask(indio_dev);

    ...

error_cleanup_sysfs:
    iio_buffers_free_sysfs_and_mask(indio_dev);
error_ret:
    return ret;
}

This updated code ensures that the ioctl handlers list is not directly manipulated, but rather the registration functions call the appropriate matching cleanup function (iio_device_unregister_eventset or iio_buffers_free_sysfs_and_mask) when required.

Original References and Additional Resources

For more information on the iio: core: fix ioctl handlers removal and the associated vulnerability CVE-2021-46979, please refer to the following resources:

1. Official Linux kernel commit message
2. Patchwork

Exploit Details

The vulnerability can be exploited by an attacker that gains access to the device and sends crafted IOCTL requests to IIO devices. By causing a double-free, it could lead to a kernel panic, potentially resulting in a denial of service (DoS) attack on the affected system or kernel memory corruption, which might also lead to arbitrary code execution.

However, the vulnerability has been resolved in the latest version of the Linux kernel. It is highly recommended that you ensure your systems are patched and updated with the latest Linux kernel version to prevent any potential exploits or security threats related to CVE-2021-46979.

Timeline

Published on: 02/28/2024 09:15:37 UTC
Last modified on: 02/28/2024 14:06:45 UTC