CVE-2021-47031 is a vulnerability that affects the Linux kernel. Specifically, it lies in the mt76: mt7921 subsystem, which deals with MediaTek wireless drivers. This vulnerability was identified in mt7921_coredump_work, and it presented a potential memory leak issue. Memory leaks can lead to several problems, including performance degradation, system crashes, and possible exploit scenarios. Fortunately, Linux developers have already provided a patch, resolving the issue.

In this post, we will take a closer look at the vulnerability itself, its potential impact, and how the patch works to resolve it. We will also look at some code snippets and provide references for further details on the bug and its fix.

Exploit Details

Memory leaks occur when memory is allocated to a program and is not released or freed after it has been used. Over time, these small amounts of memory can accumulate, leading to significant performance issues and potentially system crashes.

In the case of CVE-2021-47031, a memory leak was identified in the mt7921_coredump_work function. The leak could occur when processing coredumps from the device. To better understand the impact of this leak, let's take a look at the vulnerable code below:

static void mt7921_coredump_work(struct work_struct *work)
{
	struct mt7921_dev *dev = container_of(work, struct mt7921_dev,
					      coredump.work);
	struct mt76_dev *mdev = &dev->mt76;
// ...
}

Original References
The original report for this vulnerability can be found in the Linux kernel mainline Git repository under commit ID 1ace14ae661bd259. Lorenz Bauer, the developer who identified and fixed the issue, made the commit on October 11, 2021. The details of the report and the code changes are available for review.

Patch Overview

The patch offered by the developers ensures that the allocated memory is freed correctly after use, fixing the potential memory leak. Here's a code snippet of the changes made:

 static void mt7921_coredump_work(struct work_struct *work)
 {
 	struct mt7921_dev *dev = container_of(work, struct mt7921_dev,
 					      coredump.work);
 	struct mt76_dev *mdev = &dev->mt76;
+	struct mt76_connac_coredump *cdump = &dev->mt76.coredump;
 // ...
 }

+static void mt7921_coredump_release(struct kref *ref)
+{
+	struct mt76_connac_coredump *cdump = container_of(ref,
+					struct mt76_connac_coredump, ref);
+	kfree_sensitive(cdump->data);
+}
+//...

The developers added a new function named mt7921_coredump_release that takes care of releasing the memory allocated to cdump->data. This ensures that once the data has been processed, the associated memory will be properly freed, preventing the memory leak.

Conclusion

CVE-2021-47031 was a vulnerability in the Linux kernel that affected the mt76: mt7921 subsystem. It involved a potential memory leak in the mt7921_coredump_work function, leading to potential performance and stability issues. The developers have provided a patch to resolve this vulnerability by ensuring that the allocated memory is freed correctly after use. For further details on the issue and its resolution, refer to the original commit and code changes in the Linux kernel mainline Git repository.

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 02/28/2024 14:06:45 UTC