CVE-2021-47013: Linux Kernel net:emac/emac-mac Use After Free Vulnerability Fixed in emac_mac_tx_buf_send Function

In the Linux kernel, a use after free vulnerability has been discovered and resolved in the net:emac/emac-mac subsystem. The problem resides in the emac_mac_tx_buf_send function, which deals with transmitting data packets in the EMAC (Ethernet Media Access Controller) driver. The vulnerability could potentially lead to memory corruption and other unintended consequences for affected systems. This article will cover the details of the identified issue, its potential impact, and the fix that has been implemented to resolve it.

The Problem

In the emac_mac_tx_buf_send function, emac_tx_fill_tpd() is called with a reference to an skb (socket buffer) as one of its arguments. If an error occurs during the execution of emac_tx_fill_tpd(), the skb will be freed using the dev_kfree_skb(skb) function in the error-handling branch. However, the problem arises when the freed skb is still accessed afterward using skb->len through the netdev_sent_queue() function.

The following code snippet illustrates the issue

{
    // ... omitted code ...
    ret = emac_tx_fill_tpd(adapter, skb, ctx_id, vlan_tagged, nr_frags,
                            offload_type, tso, xmit_type);

    if (ret) {
        dev_kfree_skb(skb);
    } else {
        netdev_sent_queue(netdev, skb->len);
    }
    // ... omitted code ...
}

The Fix

To fix the use after free vulnerability, we assign the value of skb->len to a local variable len before the skb could be potentially freed inside the emac_tx_fill_tpd() error branch. We then use the local variable len instead of skb->len later in the netdev_sent_queue() function. The patched code looks like this:

{
    // ... omitted code ...
    unsigned int len = skb->len;  // Assign skb->len to len

    ret = emac_tx_fill_tpd(adapter, skb, ctx_id, vlan_tagged, nr_frags,
                            offload_type, tso, xmit_type);

    if (ret) {
        dev_kfree_skb(skb);
    } else {
        netdev_sent_queue(netdev, len);  // Use len instead of skb->len
    }
    // ... omitted code ...
}

This simple change ensures that the proper value is used even when the skb is freed and avoids accessing a freed memory object.

Here are the links to the original sources discussing this issue and the fix

1. The patch that addresses the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bcdce154bac547d6debf73d8cd42f824acb7ff9
2. The Linux kernel source code repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

Exploit Details

As of now, no known exploits are actively targeting this vulnerability in the wild. However, malicious actors could potentially craft an exploit targeting this use after free vulnerability, causing memory corruption and other undesirable side effects on affected systems. It is crucial to apply this patch to ensure the Linux kernel is not susceptible to this vulnerability.

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 02/28/2024 14:06:45 UTC