Understanding the Security Impact of CVE-2021-46920: Linux Kernel Vulnerability in Dmaengine: Idxd, Fixed in 5.15-rc2

Recently, an important vulnerability was resolved in the Linux kernel (dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback) that could potentially affect numerous systems running on the popular open-source operating system. This vulnerability, identified as CVE-2021-46920, has been assigned a common vulnerability exposure number that uniquely identifies and helps in tracking security issues across multiple systems.

In this long-read post, we'll dive deep into understanding the implications of this security issue, explore code snippets that demonstrate the vulnerability, and provide links to original references. We'll also discuss the specific details of the exploit and how it was fixed. So, let's get started!

Background

The Linux kernel is the core component of the operating system, responsible for managing system resources such as memory, CPU, and I/O devices. It also provides an interface for applications to interact with the hardware. As an open-source project, the Linux kernel is constantly under development with new features, optimizations, and bug fixes being added regularly. However, this also means that new vulnerabilities can be introduced inadvertently. One such vulnerability was spotted in the dmaengine subsystem of the kernel.

Dmaengine is the kernel's direct memory access (DMA) framework, responsible for managing the transfer of data between memory and peripherals without involving the CPU. The idxd (Intel Data Accelerator Driver) is a part of the dmaengine subsystem designed specifically for Intel's Data Streaming Accelerator (DSA) devices. This is where the vulnerability was found: in the idxd_writeback function.

Code Snippet

The issue in the code occurs when the SWERR and OVERFLOW bits are blindly overwritten by the current code. To better understand this issue, let's take a look at the affected code snippet within the Linux kernel source (drivers/dma/idxd/device.c):

static void idxd_writeback(struct idxd_device *idxd, u32 offset) {
	u32 reg;
	reg = readl(idxd->reg_base + offset);
	reg |= GENMASK(, 12); /* this overwrites both SWERR and OVERFLOW bits */
	writel(reg, idxd->reg_base + offset);
}

Notice how the function idxd_writeback reads a register and then combines it with a bitmask using the OR (|=) operator. The problem is that this bitmask (GENMASK(, 12)) effectively completes both SWERR and OVERFLOW bits, which shouldn't be happening.

Exploit Details

The potential impact of this vulnerability is that it might lead to a malfunctioning DMA subsystem. The dmaengine framework provides an essential service to peripheral devices that use DMA for data transfer, and a misbehaving idxd driver could result in errors, hangs, or even data corruption. It's also worth noting that seemingly unrelated parts of the kernel could be affected since the DMA is used in many places throughout the system. Attackers could potentially exploit this vulnerability to cause denial-of-service (DoS) attacks or for other nefarious purposes.

Resolution

The vulnerability was fixed by modifying the idxd_writeback function to preserve the OVERFLOW bit on writeback. Here's the updated code snippet that reflects the changes from the Linux kernel source (drivers/dma/idxd/device.c):

static void idxd_writeback(struct idxd_device *idxd, u32 offset) {
	u32 reg;
	reg = readl(idxd->reg_base + offset);
	reg |= ((readl(idxd->reg_base + offset) & (~BIT(10))) & (~BIT(11))); /* this preserves the OVERFLOW bit along with the actual bits read */
	writel(reg, idxd->reg_base + offset);
}

The fix involves reading the original register value first and then applying the bitmask properly to preserve the OVERFLOW bit, ensuring that it isn't blindly overwritten.

Here are the key references that provide more context and details about this vulnerability

1. CVE-2021-46920: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46920
2. Linux Kernel Git Commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f5f840dcbc55eb96384f478f422db79b1349504
3. Linux Kernel Changelog (5.15-rc2): https://lkml.org/lkml/2021/9/12/312

Conclusion

As a Linux user or system administrator, it is crucial to be aware of vulnerabilities like CVE-2021-46920 to ensure the security of your system. Thankfully, the Linux kernel development community is quick to respond to such issues and provides regular updates and patches to address them. It is essential to keep your systems updated and apply relevant patches to minimize the risk from vulnerabilities.

Timeline

Published on: 02/27/2024 07:15:08 UTC
Last modified on: 04/10/2024 14:52:39 UTC