CVE-2021-46998 - Linux Kernel Ethernet Vulnerability Fixed: Use After Free Bug in Ethernet Driver Resolved

The Linux kernel, which forms the core foundation for countless Linux-based operating systems, is constantly being improved and updated. Recently, a crucial vulnerability was discovered and resolved in the kernel. Specifically, the vulnerability was related to the ethernet driver, enic. The flaw, identified as CVE-2021-46998, pertains to a use after free bug in the enic_hard_start_xmit function of the ethernet driver.

In the function enic_hard_start_xmit, the call to enic_queue_wq_skb() is made. Inside this enic_queue_wq_skb function, if an error occurs, the skb variable (containing a network packet) will be freed through the command dev_kfree_skb(skb). However, the issue arises when the freed skb is still used in another function, skb_tx_timestamp(skb), which can potentially lead to a crash, security vulnerabilities, and data inconsistencies.

The solution to this vulnerability was proposed by Govind, who designed a patch that makes the enic_queue_wq_skb() function return an error and goes to a spin_unlock() call in case of any errors. This change ensures that the freed skb will not be used further in the code execution, preventing the use after free bug. The patch and a detailed discussion on the vulnerability can be found at the Linux Kernel Mailing List (LKML) at the following link: https://lkml.org/lkml/2021/4/30/961.

Here's a snippet of the patched code shared by Govind

static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb,
				        struct net_device *netdev)
{
	struct enic *enic = netdev_priv(netdev);
	unsigned int wq_idx = skb->queue_mapping;
	struct enic_tx_info *tx_info;
	struct vnic_wq *wq;
	unsigned long flags;
	int ret;

	wq = &enic->wq[wq_idx];
	tx_info = skb_to_tx_info(skb);

	spin_lock_irqsave(&enic->devcmd_lock, flags);
	ret = enic_queue_wq_skb(enic, wq, skb, tx_info);
	if (ret)
		goto spin_unlock;
	if (skb->tstamp)
		skb_tx_timestamp(skb);

	spin_unlock_irqrestore(&enic->devcmd_lock, flags);

	return NETDEV_TX_OK;

spin_unlock:
	spin_unlock_irqrestore(&enic->devcmd_lock, flags);
	atomic_long_inc(&netdev->tx_dropped);

	return NETDEV_TX_BUSY;
}

In conclusion, the Linux Kernel team is actively working on addressing vulnerabilities to ensure the security and reliability of the widely-used open-source operating system. The discovered flaw, CVE-2021-46998, highlights the importance of continuous improvements, testing, and collaboration within the open-source community to maintain the security and stability of the Linux kernel and its associated systems.

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 02/28/2024 14:06:45 UTC