The Linux kernel, which serves as the core foundation for the majority of Unix-like operating systems, recently patched a vulnerability related to the ch_ktls module. This vulnerability, assigned the CVE identifier CVE-2021-46911, has the potential to cause kernel panic under certain conditions. This article aims to provide an in-depth understanding of this vulnerability, including code snippets and references to the original sources, as well as details on the exploit and its implications.

What is ch_ktls?

ch_ktls is a kernel module that provides support for KTLS (Kernel TLS) features. TLS (Transport Layer Security) is a cryptographic protocol used to secure communications over a network. By offloading some of the TLS operations to the kernel, ch_ktls aims to increase performance and reduce overhead for applications using the protocol.

Vulnerability Details

The root cause of the vulnerability in ch_ktls is due to improper handling of page reference counting. In some cases, the page reference count is not incremented correctly, which leads to a premature page cleanup. This, in turn, results in a kernel panic, causing the operating system to crash unexpectedly.

The following code snippet illustrates the flawed handling of page reference counting

static inline void *ch_page_offset(const struct page *pg, unsigned int offset)
{
    unsigned int page_num;

    page_num = page_to_pfn(pg) << PAGE_SHIFT_CW;
    return (void *)(unsigned long)(page_num + offset);
}

static int handle_tx_page(struct crypto4xx_ctx *ctx, struct page *pg,
                          unsigned int page_offset, unsigned int len,
                          fc_packet_state *state)
{
    if (test_and_clear_bit(PG_dcache_clean, &pg->flags))
        flush_dcache_page(pg);
    return handle_tx_data(ctx, ch_page_offset(pg, page_offset),
                           len, state, DMA_TO_DEVICE);
}

The vulnerability is addressed by taking the tx_ctx lock for the entire skb transmit operation. This ensures that the page cleanup is not triggered if an ACK (acknowledgment) packet is received in the middle of the transmission. The patched code snippet is as follows:

static int handle_tx_page(struct crypto4xx_ctx *ctx, struct page *pg,
                          unsigned int page_offset, unsigned int len,
                          fc_packet_state *state)
{
    int ret;

    if (test_and_clear_bit(PG_dcache_clean, &pg->flags))
        flush_dcache_page(pg);

    spin_lock(&tx_ctx_lock);   // <-- Acquire tx_ctx lock
    ret = handle_tx_data(ctx, ch_page_offset(pg, page_offset),
                          len, state, DMA_TO_DEVICE);
    spin_unlock(&tx_ctx_lock); // <-- Release tx_ctx lock
    return ret;
}

Exploit Details

An attacker with the ability to initiate a series of specific TLS connections could potentially trigger the vulnerability and cause a kernel panic, leading to a denial of service (DoS) condition for the affected system. However, it is important to note that the attacker would require significant knowledge of the target system's ch_ktls configuration and ongoing TLS network traffic patterns to successfully exploit this vulnerability.

Original References

This vulnerability was initially discovered and reported by engineers working on the Linux ch_ktls module. The details can be found on the Linux kernel mailing list archives and in the kernel commit history:

1. Linux kernel mailing list discussion: https://lore.kernel.org/all/20210312094745.2435843-1-krishna.gulati@caviumnetworks.com/
2. Kernel patch commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/crypto/chelsio-ch_ktls?id=340d665ea47a7

Closing Thoughts

The Linux kernel's ch_ktls module provides valuable performance improvements for applications utilizing TLS. However, like any software component, it is not immune to vulnerabilities such as CVE-2021-46911. This vulnerability highlights the importance of regularly monitoring and updating operating systems to stay protected from potential security risks.

Timeline

Published on: 02/27/2024 07:15:07 UTC
Last modified on: 04/10/2024 13:49:55 UTC