Summary:
A memory leak vulnerability, now designated CVE-2021-47042, was discovered and resolved in the AMD display module (amdgpu) within the Linux kernel. This bug could have caused system instability by leaking memory every time the AMD GPU module was loaded, possibly leading to denial of service (DoS) through resource exhaustion.

What Happened?

During module loading (amd_module_load), the driver failed to free local data after use in the function dc_link_construct(). Specifically, memory allocated with kmem_cache_alloc was forgotten, resulting in a memory leak.

The Problem

The kernel memory allocator reported unreferenced objects not being freed, as shown in the kernel's memory leak debug logs. If this happened repeatedly, system memory would eventually fill up, reducing performance or even causing a crash.

Key Trace

unreferenced object xffffa03e81471400 (size 1024):
comm "amd_module_load", pid 2486, jiffies 4294946026 (age 10.544s)
backtrace:
[<000000000bdf5c4a>] kmem_cache_alloc_trace+x30a/x4a
[<00000000e7c59fe>] link_create+xce/xac [amdgpu]
[...]

The Faulty Function: dc_link_construct()

dc_link_construct() is called when building internal data structures for display connectors, particularly DisplayPort and HDMI links. However, it failed to free temporary or helper objects upon completion.

Vulnerable code (before fix)

void dc_link_construct(struct dc *dc)
{
    struct dc_link *link = kzalloc(sizeof(*link), GFP_KERNEL);

    // ... setup code ...

    // Bug: forgot to free additional allocated helper!
    // struct link_helper *helper = kmalloc(sizeof(*helper), GFP_KERNEL);
    // ... use helper ...
    // MISSING: kfree(helper);

    // ... more code ...

    // At function end
    // kfree(link); // Okay
}

Patched code (after fix)

void dc_link_construct(struct dc *dc)
{
    struct dc_link *link = kzalloc(sizeof(*link), GFP_KERNEL);

    // ... setup code ...

    struct link_helper *helper = kmalloc(sizeof(*helper), GFP_KERNEL);
    // ... use helper ...

    kfree(helper);   // Fixed: free after use!

    // ... more code ...

    kfree(link);
}

Security Impact

- Risk: Local attackers could potentially load and unload the AMD module repeatedly, causing a slow denial of service as memory was not reclaimed.
- Exploitation: There is no direct privilege escalation or code execution, but local users could destabilize the system.
- Affected: Linux laptops, desktops, or servers using the AMD display driver (amdgpu). Kernel versions before the fix are susceptible.

How Was It Fixed?

The patch resolved the memory leak by ensuring all allocated local data is freed after use within dc_link_construct().

The commit message in the Linux kernel reads

> drm/amd/display: Free local data after use
>

> Fixes the following memory leak in dc_link_construct()

> unreferenced object xffff...

Patch reference:
See the official commit on kernel.org
CVE entry: NVD - CVE-2021-47042

lsmod | grep amdgpu

- Watch for suspicious memory leaks:

bash

dmesg | grep -i leak

cat /proc/meminfo
`

Mitigation:
- Upgrade to a kernel with the patch (5.13 or later).
- Or apply vendor updates (distro security patches).

---

## Conclusion

CVE-2021-47042 highlights how even simple programming oversights in device drivers can impact overall system reliability. While this bug didn’t allow attackers to take control of the machine, it could have been used to make a Linux computer unstable or unusable.

### More Reading

- Upstream Fix Commit
- CVE-2021-47042 NVD Entry
- Linux AMDGPU Driver Documentation
- Linux Kernel Security

---

Stay up-to-date
Always keep your Linux system and drivers patched to avoid bugs like this!

Timeline

Published on: 02/28/2024 09:15:40 UTC
Last modified on: 12/06/2024 18:41:24 UTC