In June 2021, security researchers and kernel maintainers disclosed CVE-2021-47079, a vulnerability affecting Lenovo's IdeaPad laptop driver in the Linux kernel. This post explains the issue in clear language, shows what caused it, offers relevant code, and references the original resources. Let's get right into it.
What is CVE-2021-47079?
The vulnerability, tracked as CVE-2021-47079, is a NULL pointer dereference bug found in the ideapad-laptop driver, which is part of the platform/x86 subsystem. This driver manages Lenovo IdeaPad-specific functionality, such as special keys and power profiles.
A NULL pointer dereference, simply put, occurs when the program tries to use a pointer that hasn’t been set (NULL), causing a crash or unexpected behavior.
Original CVE entry:
https://nvd.nist.gov/vuln/detail/CVE-2021-47079
Linux kernel patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=352e26e440b8
What Exactly Went Wrong?
In the driver, there is a function called dytc_cql_command. The issue was that this function expected a valid third parameter (address or pointer) to work with. However, some code paths could pass NULL to it—meaning "nothing here".
The problem? The function did NOT check if this parameter was NULL before using—dereferencing—it, leading to a kernel crash (kernel panic).
Here is a simplified snippet inspired by the buggy code in the Linux kernel
int dytc_cql_command(const struct dytc_priv *priv, u8 cmd, void *buf)
{
// ... some code ...
size_t buf_size = *(size_t *)buf; // <-- This will crash if buf is NULL!
// ... some code ...
}
Suppose buf is NULL. The line above tries to dereference it, causing a NULL pointer dereference.
This is not a classic "remote exploit", but more of a Denial of Service (DoS) bug
- A local user with access to the driver (for example, via user space tools or scripts) could trigger the vulnerable code path with a NULL pointer.
This would crash the kernel, causing a system hang or forced restart.
While it doesn't give an attacker full control, it is disruptive.
Exploit Proof-of-Concept (PoC)
Below is an illustrative (not production-safe!) snippet showing how a user could trigger the bug using a malicious kernel driver or, in some cases, crafted user-space calls (for instance, via /proc or /dev device interfaces):
// Pseudocode, for educational purposes ONLY!
// Imagine a userland program or malicious driver:
void trigger_bug(int fd) {
// Pass NULL pointer to ioctl or similar sysfs entry
ioctl(fd, DYTC_CQL_COMMAND, NULL);
}
On a system with the vulnerable driver, this would immediately cause a kernel panic.
The Fix
The kernel developers patched the code by adding a NULL pointer check before using the parameter. If the pointer is NULL, the function simply returns an error instead of proceeding.
Fixed code sample
int dytc_cql_command(const struct dytc_priv *priv, u8 cmd, void *buf)
{
if (!buf)
return -EINVAL; // Exit early if buffer is NULL
// Safe to use buf now
size_t buf_size = *(size_t *)buf;
// ...
}
Commit link:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=352e26e440b8
References
- CVE-2021-47079 entry on NIST
- Linux kernel commit fixing the bug
- lkml.org kernel mailing list discussion
Fix: Check for NULL-pointer before dereferencing.
- Who is affected?: Linux systems running the affected platform/x86/ideapad-laptop driver, usually on Lenovo IdeaPad laptops.
Resolution: Update to a kernel version including the fix.
If you run Linux on an IdeaPad, update your kernel! Even bugs that seem small can cause major headaches. Safe computing!
Timeline
Published on: 03/01/2024 22:15:47 UTC
Last modified on: 12/09/2024 18:41:59 UTC