CVE-2021-47009: Fixing a Memory Leak in KEYS: Trusted Kernel

A security vulnerability (CVE-2021-47009) within the Linux kernel has been recently resolved, addressing issues with memory leaks in the KEYS: trusted component. In this post, we'll review this vulnerability, provide guidance on how to resolve it, and share details regarding the exploit. Throughout, we'll include reference links and code snippets to aid understanding.

Background

The Linux kernel, an essential component of Linux-based operating systems, is responsible for managing the system's hardware and resources. Occasionally, vulnerabilities may emerge, and it is crucial to resolve these issues quickly to maintain a secure environment for users.

The vulnerability in question relates to the handling of memory allocation within the KEYS: trusted component, specifically, the "trusted" platform module (TPM). The TPM serves as a cryptographic processor that securely stores sensitive data and enforces access policies for cryptographic keys.

Issue

This memory leak vulnerability occurs when an object (td) is allocated but not properly deallocated in two error return paths, potentially causing issues with memory usage and stability. The following warning message is generated when using the clang scan-build tool:

security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential
memory leak [unix.Malloc]

As memory is not released in these cases, it could lead to issues by continuously allocating memory without deallocating it, ultimately resulting in poor system performance and even crashes.

Solution

To fix this vulnerability, the error return paths need to be adjusted to ensure that the allocated object (td) is securely deallocated using the kfree function. The original code snippet in question is found at [1]:

static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
                         unsigned int keylen, unsigned char *h1,
                         unsigned char *h2, unsigned char *nonceodd,
                         unsigned char *civ)
{
    ...
    td = kmalloc(tpm_datalen + 1, GFP_KERNEL);
    if (!td)
        return -ENOMEM;
    ...
    if (off < tpm_datalen) {
        rc = -EINVAL;
        goto out;
    }
    ...
    rc = ;
out_kfree_td:
    kfree_sensitive(td);
    return rc;
}

Replace the 'goto' statement that is causing memory leaks with the appropriate error return paths

if (off < tpm_datalen) {
    rc = -EINVAL;
    goto out_kfree_td;
}

Ensure that the td object is properly deallocated at the end of the function

out_kfree_td:
    kfree_sensitive(td);
    return rc;

This fix will ensure that allocated memory is securely released, addressing the memory leak issue.

Exploit Details

The vulnerability itself does not grant attackers direct control of the affected system or the ability to access sensitive data. Instead, attackers could exploit the memory leak to degrade system performance, potentially causing system crashes. While not a high-risk vulnerability, it is advisable to apply the fix to ensure a stable operating environment.

References

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e4a7076ccdadcfe496eb65486574c45d8b495da
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47009

Conclusion

The CVE-2021-47009 vulnerability highlights the importance of tracking updates and addressing potential security vulnerabilities in the Linux kernel and other essential components. By understanding the problem, finding the appropriate solution, and applying the necessary code changes, users can maintain a secure and stable operating system.

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 02/28/2024 14:06:45 UTC