A security vulnerability identified as CVE-2021-47022 affected the Linux kernel, specifically the MediaTek MT76 WiFi driver. This bug could cause a memory leak when unregistering (mt7615_unregister_device) an MT7615 device. The issue came from the order in which functions were called when cleaning up transmit tokens.
In this post, we’ll break down what happened, take a look at the affected code, see how the fix works, and discuss why this matters to sysadmins, developers, and anyone running Linux on hardware with MediaTek WiFi chips.
What is the MT76 Driver?
MT76 is an open-source driver for MediaTek (Ralink) wireless chips. It is part of the mainline Linux kernel and is widely used in consumer routers and embedded devices.
The Vulnerability in Detail
When the driver needs to unregister (remove) an MT7615 device, it performs cleanup operations to prevent memory leaks. There are two core functions involved:
mt76_free_pending_txwi(): Frees up any pending transmit wireless information (TX Wireless Info).
The Problem:
The cleanup function called them in the wrong order. Releasing the pending TX info before clearing transmit tokens caused some memory to not be freed—a memory leak that, over time, could make the kernel unstable.
Here’s a simplified version of the buggy cleanup logic from mt7615_unregister_device()
// Old buggy code
static void mt7615_unregister_device(struct mt7615_dev *dev)
{
// ...
mt76_free_pending_txwi(&dev->mt76);
mt7615_tx_token_put(dev);
// ...
}
By calling mt76_free_pending_txwi() before mt7615_tx_token_put(), transmit tokens could be orphaned, causing their memory to be lost.
The Fix
The fix is simple: reverse the order of the operations. Always release transmit tokens first. Here’s what the fixed code looks like:
// Fixed code
static void mt7615_unregister_device(struct mt7615_dev *dev)
{
// ...
mt7615_tx_token_put(dev);
mt76_free_pending_txwi(&dev->mt76);
// ...
}
Now, all memory is properly freed every time you unregister the device. No more memory leaks.
Exploiting the Vulnerability
Can attackers exploit this bug?
CVE-2021-47022 is primarily a denial of service (DoS) issue. It doesn’t allow for privilege escalation or code execution, but it could be abused by:
Over time, causing the system to run out of memory and potentially crash or hang.
This is unlikely in standard desktop/server use, but it could happen accidentally during stress or fuzz testing, and in embedded scenarios where devices run non-stop.
Proof of Concept
# You would need shell access and the driver loaded as a kernel module.
# This is to simulate repeated loading/unloading.
modprobe mt7615e
rmmod mt7615e
modprobe mt7615e
rmmod mt7615e
# With the buggy version, each cycle would leak memory.
# After dozens/hundreds of cycles, you could run 'free -m' and see the memory usage grow.
References
- Linux Kernel Patch
- CVE-2021-47022 - MITRE
- MT76 Driver Source (GitHub)
What Should You Do?
If you maintain devices or distributions running Linux with the MT76 WiFi driver (especially MT7615-based hardware):
- Make sure your kernel includes the patch/fix for CVE-2021-47022.
Upgrade to Linux kernel v5.13 or newer, or ensure your vendor has backported the fix.
- For embedded and long-running devices, consider monitoring memory usage and updating firmware as needed.
Summary
CVE-2021-47022 shows how even a simple order of function calls can lead to subtle but serious problems like memory leaks. The fix was straightforward, but it reinforces the need for careful code reviews—especially in code that manages low-level hardware resources. If you use MediaTek-based WiFi devices on Linux, check your kernel version and update if needed.
Timeline
Published on: 02/28/2024 09:15:39 UTC
Last modified on: 12/09/2024 18:09:01 UTC