CVE-2021-47022 - mt76: mt7615: Fixing Memory Leak Vulnerability in the Linux Kernel

Recently, a vulnerability (CVE-2021-47022) was discovered and resolved in the Linux kernel. This vulnerability was found in the mt76 driver, specifically the mt7615 component. The problem caused a memory leak when calling mt7615_unregister_device(). This post will provide essential information regarding the vulnerability, including its cause, code snippets, links to original references, and exploit details. We will also explain the fix that was implemented to resolve the issue.

Vulnerability Description

In the Linux kernel, the mt76 driver is used to support MediaTek's Wi-Fi devices, including the MT7615 wireless chipset. The vulnerability was in the mt7615_tx_token_put() function, which was incorrectly positioned in the code. As a result, the memory leak occurred during the call of mt7615_unregister_device().

An attacker with access to the vulnerable system could potentially exploit this memory leak, causing system instability or crashes. It could also pave the way for further attacks on the system.

Before the fix, the problematic code looked like this

void mt7615_unregister_device(struct mt76_dev *mdev)
{
	struct mt7615_dev *dev = container_of(mdev, struct mt7615_dev, mt76);
	int idx;

for (idx = ; idx < ARRAY_SIZE(dev->mt76.txq); idx++) {
	mt76_tx_clean_free(&dev->mt76, dev->mt76.txq[idx]);
}

mt76_unregister_device(&dev->mt76);
mt76_free_pending_txwi(dev->mt76.txq);
}

Here, the mt76_free_pending_txwi() function was called after mt76_unregister_device(). This meant that the tx_token_put() function would not be called, leading to the memory leak.

The Fix

To resolve the issue, the mt7615_tx_token_put() function needs to be called before the mt76_free_pending_txwi() function. Here's what the corrected code looks like:

void mt7615_unregister_device(struct mt76_dev *mdev)
{
	struct mt7615_dev *dev = container_of(mdev, struct mt7615_dev, mt76);
	int idx;

for (idx = ; idx < ARRAY_SIZE(dev->mt76.txq); idx++) {
	mt76_tx_clean_free(&dev->mt76, dev->mt76.txq[idx]);
}

mt76_unregister_device(&dev->mt76);
+ mt7615_tx_token_put(dev); // Fix applied here
mt76_free_pending_txwi(dev->mt76.txq);
}

As shown above, the mt7615_tx_token_put() function has been correctly placed before the mt76_free_pending_txwi() function to avoid the memory leak.

Original References

1. Official Linux Kernel Git Repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
2. MediaTek's MT7615 Driver: https://github.com/torvalds/linux/tree/master/drivers/net/wireless/mediatek/mt76/mt7615
3. CVE-2021-47022 Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47022

Exploit Details

As of now, there have been no known exploits of this vulnerability in the wild. However, it's crucial for system administrators and users to update their Linux kernel to the patched version to avoid potential exploitation in the future.

Conclusion

The Linux kernel is an integral part of many systems, and vulnerabilities like CVE-2021-47022 can pose a severe threat if left unaddressed. Therefore, it's crucial to stay updated on security patches and ensure that your systems are always protected against potential attacks. Please update your Linux kernel to the latest version and apply the necessary patches for your system's security.

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 02/28/2024 14:06:45 UTC