CVE CyberSecurity Database News

CVE-2021-47032 - How a DMA Mapping Leak in MT7915 Linux Wi-Fi Driver Was Patched

Poster -

In 2021, security researchers identified a subtle but dangerous bug in the Linux kernel's MT76 Wi-Fi driver—specifically targeting the MediaTek MT7915 chip. Tracked as CVE-2021-47032, this vulnerability could result in memory leaks within the DMA (Direct Memory Access) mapping system, which in turn could degrade the reliability or even security of affected Linux-based devices.

In this deep dive, we’ll break down what went wrong, how CVE-2021-47032 was fixed, and what it means for users and developers. We'll use simple, clear terms and some code snippets so anyone can understand the issue and its solution.

What is DMA and Why Does It Matter?

DMA stands for Direct Memory Access, a feature allowing hardware components (like Wi-Fi chips) to access the main system memory directly, bypassing the CPU. This enables fast data transfer, but needs careful management in software:

The driver maps a section of memory for the hardware.

2. The hardware uses it for sending/receiving data.

The driver unmaps the memory when done.

If the driver forgets to unmap memory, the system can eventually run out of memory mappings, leading to crashes or degraded performance. In rare cases, it could be exploited for attacks.

Breaking Down the Bug

The bug was found in the mt76 driver for MediaTek MT7915 chips, used in many Linux wireless devices.

When the driver handled outgoing packets (TX SKBs), it set up multiple memory mappings. But during the cleanup phase, only some mappings were being unmapped; the very first mapping was missed.

Here's the relevant commit fixing the bug:
mt76: mt7915: fix tx skb dma unmap (kernel.org)

A buggy driver could be crashed or DoS’d with crafted traffic.

- Malicious userspace on trusted systems might intentionally trigger the leak by making tons of wireless transmissions, leading to a denial of service.

The Code: Before and After

Let’s look at the key function in question, simplified for clarity.

Before the Fix

// txp points to an array of DMA mappings for the skb.
// Only txwi->frag is unmapped; txwi->buf is missed!
pci_unmap_single(dev->pdev, txwi->frag, skb->len, PCI_DMA_TODEVICE);
for (i = 1; i < nfrags; i++) {
    pci_unmap_page(dev->pdev, txp->frag[i], frag_len, PCI_DMA_TODEVICE);
}

Here, the important first DMA mapping (buf) isn’t unmapped.

After the Fix

// Both buf and other fragments are now unmapped!
pci_unmap_single(dev->pdev, txp->buf, skb_headlen(skb), PCI_DMA_TODEVICE);
for (i = 1; i < nfrags; i++) {
    pci_unmap_page(dev->pdev, txp->frag[i], skb_frag_size(frag), PCI_DMA_TODEVICE);
}

Now, all allocated DMA mappings, including the first pointer (buf), are correctly unmapped.

On a vulnerable kernel, a simple traffic generator could trigger the bug

# Flood the wireless interface with lots of outgoing packets
ping -f -s 140 <big_file_server_on_wifi>

With debugging enabled, you could see DMA mapping entries grow in /proc or kernel logs.

If you’re a developer:

Double-check your DMA map/unmap logic. Tools like kasan or dma-debug help.

Official Patch:

mt76: mt7915: fix tx skb dma unmap @ kernel.org

CVE Database Entry:

CVE-2021-47032 @ cve.mitre.org

Linux Kernel Security Mailing List:

oss-security post (search for CVE-2021-47032)

Final Thoughts

CVE-2021-47032 highlights how even small mistakes in hardware drivers can have an outsized impact on a system’s stability and long-term reliability. Thanks to open kernel development and fast patching, most users are protected once they update. Still, for developers, this bug is a classic lesson: always clean up your allocations, especially with hardware resources.

Stay secure, keep your systems updated, and happy hacking!

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 12/12/2024 15:38:48 UTC