CVE-2021-47002 - Linux Kernel SUNRPC Null Pointer Dereference in `svc_rqst_free()`—Explained Simply

In June 2021, the Linux kernel community patched a potentially dangerous bug (CVE-2021-47002) related to the SUNRPC subsystem. This bug could cause a crash (known as a kernel panic) due to a null pointer dereference if the system ran low on memory. In this post, we'll break down what happened, how the bug could be exploited, and show code snippets directly from the fix. If you've ever wondered how a seemingly small slip could bring down the mighty Linux kernel, read on.

What is SUNRPC?

First, SUNRPC (Sun Remote Procedure Call) is a protocol used in the Linux kernel for distributed computing, especially in NFS (Network File System). It's common in servers and clusters for file sharing.

What’s the Problem? (TL;DR)

When the kernel tried to allocate memory for a request structure, it didn’t always get it—sometimes alloc_pages_node() can return NULL (no memory available). But later, the code tried to free this memory without checking if it really existed, causing a NULL pointer dereference.

Null pointer dereference = code tries to access something at address , which is prohibited. This makes the entire system crash.

Here’s the simplified vulnerable part (before the fix)

// Allocating memory for rq_scratch_page
rqstp = kzalloc(sizeof(*rqstp), GFP_KERNEL);
if (!rqstp)
    return NULL;

rqstp->rq_scratch_page = alloc_pages_node(node, GFP_KERNEL, );

// ... later in svc_rqst_free()
put_page(rqstp->rq_scratch_page); // <- no NULL check!

If alloc_pages_node fails, rqstp->rq_scratch_page is NULL, but put_page is called anyway—bad news!

The kernel maintainers fixed it by simply checking for NULL

if (rqstp->rq_scratch_page)
    put_page(rqstp->rq_scratch_page); // Only free if it exists

This prevents the kernel from crashing when memory allocation fails.

Crash Only: This is a denial-of-service situation, not a privilege escalation or data leak.

- Who Can Trigger It? An attacker (or unlucky admin) could exhaust system memory or spam NFS requests, pushing alloc_pages_node() to fail.
- Impact: If triggered, the kernel panics, and your server reboots. Bad for uptime, bad for reliability.

Note: There's no direct "remote exploit" with remote code execution here—just a way to crash the system.

Reference Links

- Original Linux Kernel Commit Fix
- CVE-2021-47002 at NVD
- Coverity Scan Issue ("Dereference after null check")
- Linux Kernel Mailing List Post

Here’s a (hypothetical) way to reach the bug

// Fill up system memory - incredibly simplified
while (malloc(1024 * 1024)); // keep allocating till system OOM

// Then trigger an NFS or SUNRPC call from another terminal
mount.nfs <target>:/export /mnt

If sysadmins run many NFS/SUNRPC requests while the system is OOM,
the kernel call could take the NULL-hitting path.

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 12/09/2024 18:25:24 UTC