CVE-2021-47631 - ARM davinci da850-evm: Avoid NULL pointer dereference in Linux Kernel

CVE-2021-47631 addresses a critical vulnerability in the Linux kernel that affects ARM systems, specifically the Davinci DA850-EVM. This issue could lead to a kernel panic, causing system instability and potentially leaving the system open to further attacks. The vulnerability is due to a NULL pointer dereference in the da850_evm_config_emac() function.

The Linux kernel team has addressed the problem by moving the dereference of the emac_pdata pointer after a machine check in the da850_evm_config_emac() function. This fix ensures that the pointer is only dereferenced when running on a supported SoC platform.

Exploit Details

The vulnerability is found in the ARM machine configuration function da850_evm_config_emac() in the file arch/arm/mach-davinci/board-da850-evm.c.

It is triggered when the emac_pdata pointer is NULL, causing the kernel to panic with an Oops: 5 error. The panic occurs when booting the multi_v5_defconfig with the palmetto-bmc machine in QEMU. The emac_pdata pointer is supposed to be populated by the davinci_soc_info structure; however, this structure is only populated on davinci machines, thus not available on all machines.

Code Snippet

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/platform_device.h>
#include <linux/platform_data/davinci_emac_pdata.h>
...
static int __init da850_evm_config_emac(void) {
...
  davinci_emac_pdata.rmii_en = soc_info->emac_pdata->rmii_en;
  platform_device_register_data(NULL, "davinci_emac", -1,
                      &davinci_emac_pdata,
                      sizeof(davinci_emac_pdata));
...
}
device_initcall(da850_evm_config_emac);

Fix for CVE-2021-47631

To fix the vulnerability, the assignment of the rmii_en value is moved below the machine check so that the emac_pdata pointer is only dereferenced when running on a supported SoC platform.

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/platform_device.h>
#include <linux/platform_data/davinci_emac_pdata.h>
...
static int __init da850_evm_config_emac(void) {
  if (!machine_is_davinci_da850_evm())
    return ;
...
  davinci_emac_pdata.rmii_en = soc_info->emac_pdata->rmii_en;
  platform_device_register_data(NULL, "davinci_emac", -1,
                      &davinci_emac_pdata,
                      sizeof(davinci_emac_pdata));
...
}
device_initcall(da850_evm_config_emac);

Original References

1. Linux Kernel Mailing List – ARM: davinci: fix da850-evm kernel crash due to NULL pointer dereference
2. Linux Kernel Git – Fix for ARM: davinci: da850-evm: avoid NULL pointer dereference

Conclusion

CVE-2021-47631 is a critical vulnerability in the Linux kernel affecting ARM systems with the Davinci DA850-EVM, causing a kernel panic due to a NULL pointer dereference. The kernel developers have resolved this issue by moving the dereference of the emac_pdata pointer after a machine check in the da850_evm_config_emac() function. This fix ensures that the pointer is only dereferenced when running on a supported SoC platform, preventing kernel panics and improving system stability.

Timeline

Published on: 02/26/2025 06:37:04 UTC
Last modified on: 03/18/2025 19:35:26 UTC