CVE-2021-47012 - Use-After-Free Vulnerability in Linux Kernel's RDMA/siw (Simple Internet Wide-area RDMA)

In this long read, we’ll dive into CVE-2021-47012, a security issue affecting the Linux kernel's software RDMA implementation (siw). We’ll break down exactly where things went wrong in the code, show exploits, and link to all key references for deeper study. All the technical stuff is explained in simple American language.

What is CVE-2021-47012?

CVE-2021-47012 is a use-after-free (UAF) vulnerability in the software iWARP (siw) layer of the Linux kernel RDMA subsystem. Specifically, it was found in the handling code for memory registration (MR) objects. If you’re not deep into RDMA, just know this is an advanced networking feature used in data centers, HPC, and cloud.

A UAF risk means the kernel might access memory after it has been freed, which can snowball into data leaks, crashes, or even arbitrary code execution.

How Did the Vulnerability Happen?

The bug was discovered by static code analysis. It centers around the siw_alloc_mr() and siw_mr_add_mem() functions:

It calls siw_mr_add_mem(mr, ...) to map memory to the MR.

- If memory allocation inside siw_mr_add_mem fails, memory is freed but a pointer is still kept and used later.

Let’s see a simplified version of the original faulty code

// In drivers/infiniband/sw/siw/siw_mem.c

int siw_alloc_mr(struct ib_pd *pd, ...)
{
    //...
    mem = kzalloc(sizeof(*mem), GFP_KERNEL);
    if (!mem)
        return -ENOMEM;
    // Introduces bug: assigning mem before checking allocation logic
    mr->mem = mem;
    // ...
    if (xa_alloc_cyclic(..., &mem->addr, ...) < ) {
        kfree(mem);   // mem is now freed
        goto err_out;
    }
    //...
err_out:
    siw_mr_drop_mem(mr); // Uses mr->mem, which is dangling pointer!
    return -ENOMEM;
}

What went wrong?
mr->mem is assigned to point to mem, then mem is freed on error. But if an error occurs, the code tries to use mr->mem while it’s already freed (dangling pointer), leading to UAF.

What Are The Risks?

- Local Exploitation: Malicious unprivileged processes can potentially trick the kernel into using and accessing freed memory.

Denial of Service: Crash the system or corrupt kernel memory.

- Privilege Escalation: In rare cases, RCE (Remote Code Execution) can happen if attacker can inject code/data into the freed memory chunk and get it executed.


## Proof-of-Concept (PoC) / Exploit

Crafting a real-world local exploit for this kernel bug is nontrivial, but in theory

- A user-controlled process could race or trigger error handling in RDMA memory operations, causing the freed memory to be accessed and potentially overwritten.
- If combined with other bugs, could leak kernel info or write arbitrary values as a privileged context.

No easy public exploit is available. But here is how an attacker might target such a flaw

// Pseudo-code for triggering the bug

int trigger_rdma_uaf() {
    // Set up RDMA software device
    // Allocate and quickly free memory region via RDMA verbs
    // Try to reclaim the same kernel memory with known data
    // See if kernel "uses-after-free" and crashes or leaks data
}

Note: Proof-of-concept is mostly for research – actual attack needs precise kernel heap feng shui.

The patch simply delays the assignment of mr->mem

// New fixed code
if (xa_alloc_cyclic(..., &mem->addr, ...) < ) {
    kfree(mem);
    goto err_out;
}
mr->mem = mem; // assign only after allocation succeeded!

This change ensures that mr->mem is only ever set to a valid, allocated chunk – never to something potentially freed.

#### Reference: Linux commit 9dd65fe99b6e ("RDMA/siw: Fix a use after free in siw_alloc_mr")

Platforms that allow local untrusted users to interact with RDMA interfaces

Not enabled on most desktop Linuxes by default. Cloud and HPC/sharing environments are more at risk.

How Do I Fix It?

Linux distros should update the kernel!
- Check for updates if you run RDMA/siw.
- If rolling your own kernel, cherry-pick the official patch.

References, Further Reading

- Linux commit fixing bug: 9dd65fe99b6e4153964be2344004521f20e93e20
- CVE Details: CVE-2021-47012 at NVD
- siw kernel documentation: siw.rst (kernel.org)

Final Thoughts

CVE-2021-47012 is a classic example of how easy it is to introduce critical bugs in low-level C code – especially in the kernel. Careful ordering of assignments and frees can prevent nasty UAF problems.

Stay patched, keep an eye on kernel changelogs, and don’t run untrusted RDMA workloads unless you’re up to date.


*This report is exclusive and paraphrased in plain language for easy understanding of sysadmins, kernel users, and security audiences.*

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 12/09/2024 18:24:59 UTC