CVE-2021-47052 - How a Memory Leak in Linux Kernel’s SA2UL Crypto Driver Could Hurt You (and How It Was Fixed)
The Linux kernel is the heart of almost every modern Linux device, from servers to routers. It's robust, but sometimes even well-written code can hide subtle bugs. One such bug was fixed for the crypto driver called sa2ul – a memory leak. Let's break it down, see why it matters, and take a peek at the code that caused it.
What is CVE-2021-47052?
CVE-2021-47052 refers to a security issue in the Linux kernel’s SA2UL crypto driver, where some memory allocations were not freed correctly if an error happened. If left unchecked, this could lead to memory leaks on targeted systems, potentially degrading system performance over time.
Crypto: The driver processes cryptography (encryption, decryption tasks).
- SA2UL: Stands for “Security Accelerator 2 Unified Layer,” a hardware crypto module present in specific Texas Instruments SoCs.
- Memory Leak: When an application does not free memory it no longer uses, it slowly consumes system resources, possibly leading to out-of-memory situations.
Mainly, systems with Texas Instruments chips using the SA2UL hardware crypto.
- Embedded devices, IoT equipment, or routers that compile and use the Linux kernel’s crypto modules.
Deep Dive: How Did the Memory Leak Happen?
This issue was found by Coverity, a static analysis tool. The bug had to do with how error conditions were handled.
In the vulnerable code, something like this happened
rxd = kmalloc(sizeof(*rxd), GFP_KERNEL); // allocate memory for 'rxd'
if (!rxd)
return -ENOMEM; // handle error: failed to allocate
// Some logic...
if (some_error_condition)
return -EINVAL; // BUG: this exit path didn't free 'rxd'
Notice that on some error exits, the rxd memory was not freed before returning – it was just abandoned, causing a leak.
The Fix
The kernel patch adds code to free allocated resources on all exit paths.
The Fixed Code Snippet
rxd = kmalloc(sizeof(*rxd), GFP_KERNEL);
if (!rxd)
return -ENOMEM;
// Some logic...
if (some_error_condition) {
kfree(rxd); // Now the memory is freed before returning
return -EINVAL;
}
The fix is simple: make sure every exit path cleans up after itself.
This isn't a classic privilege escalation or code execution bug. However, it is dangerous
- Denial of Service (DoS): If an attacker can repeatedly trigger the faulty code path (e.g., by sending unexpected requests to an API using SA2UL), memory on the system can be exhausted, eventually crashing or hanging the device.
Here’s a made-up (but realistic) exploit pattern
# This is *not* actual kernel code, but illustrates the pattern:
for i in range(10000):
# Simulate triggering SA2UL with 'bad' input causing error path
s = open_sa2ul_crypto_session(bad_input)
# 'rxd' memory is leaked internally on error
Over time, this would exhaust memory, crash the device, or require a restart. In production systems, these are big headaches.
Detected by: Coverity static analysis, flagged as "Resource leak".
- Patched: Kernel commit 89cfe26fbb9
References
- NVD Entry for CVE-2021-47052
- Linux kernel commit with fix
- Patch discussion on lore.kernel.org
If you run custom kernels: Patch to a version after the fix (v5.13 and up).
- Device manufacturers/IoT devs: Pull down the latest stable Linux kernel.
- General Linux users: If your distro uses these TI SoCs, update regularly. Most users on x86/_AMD64 are not affected.
Conclusion
Memory leaks may sound harmless, but in the heart of the kernel, they aren’t. Even “little” bugs in exotic drivers can be used to cause stability nightmares. The good news is: this one is patched. Just update your kernel, or heck, remind your vendor to do so!
If you want to dig deeper, check out the original patch or read up on the CVE.
Timeline
Published on: 02/28/2024 09:15:40 UTC
Last modified on: 12/09/2024 18:46:53 UTC