CVE CyberSecurity Database News

CVE-2021-47055 - How a Linux Kernel Permission Bug Exposed Flash Storage to Tampering

Poster -

In early 2021, a serious vulnerability was discovered in the Linux kernel’s Memory Technology Device (MTD) subsystem. Registered as CVE-2021-47055, the flaw permitted users with mere read permissions on MTD character devices to carry out actions that could permanently alter or damage flash storage, such as locking memory sections or marking blocks as bad.

Let’s break down what happened, how it works, and why the fix matters.

What Went Wrong? — The Vulnerability

The Linux kernel supports interacting with flash storage devices through the MTD subsystem. You access these via device files like /dev/mtd.

Usually, only users with write access should be able to perform risky operations, like

- Locking/unlocking flash memory regions (MEMLOCK, MEMUNLOCK)

Setting bad blocks (MEMSETBADBLOCK)

But an oversight in the kernel code meant these ioctl operations did not always check whether you opened the device _for writing_. As a result, even mere *readers* could make permanent changes.

The Relevant Code Fix

Before the patch, the MTD ioctl handler didn't check for write permissions when handling risky commands.

Here’s a simplified snippet inspired by the patch:

Before the Fix

case MEMLOCK:
case MEMUNLOCK:
case OTPLOCK:
case MEMSETBADBLOCK:
    /* Perform lock, unlock, or bad block operation */
    break;

Any process, even those with only read access, could trigger these!

After the Fix

case MEMLOCK:
case MEMUNLOCK:
case OTPLOCK:
case MEMSETBADBLOCK:
    if (!(file->f_mode & FMODE_WRITE)) {
        ret = -EPERM; // No permission!
        break;
    }
    /* Otherwise, perform the operation */
    break;

Now, if you don’t have write permissions, the kernel returns -EPERM (“operation not permitted”).

Exploiting the Vulnerability: A Typical Attack Path

Step 1: Open an MTD device _read-only_.

int fd = open("/dev/mtd", O_RDONLY); // No write permissions requested

Step 2: Issue a dangerous ioctl.

int ret = ioctl(fd, MEMLOCK, &my_region); // Should NOT be allowed, but _was_!

Result: With CVE-2021-47055 present, this would succeed. Now, it fails unless you opened the device with write permissions.

Kernel Versions: All mainline Linux kernels before v5.13.

- Devices: Embedded systems, routers, IoT, or any Linux-based device with MTD storage and user access.

Patch Now: Upgrade your kernel or backport the fix.

- National Vulnerability Database - CVE-2021-47055
- Kernel Patch on lore.kernel.org
- Commit in Linux kernel source
- Linux MTD Subsystem Documentation

Final Thoughts

While this might sound like an obscure bug, it highlights why permissions checking is always critical—especially when dealing with low-level device controls. Even small oversights can give attackers a path to sabotage your hardware.

Is your kernel version < 5.13? If yes, you should patch—before a prankster or attacker decides to turn your device into a brick!

Timeline

Published on: 02/29/2024 23:15:07 UTC
Last modified on: 01/09/2025 15:34:43 UTC