CVE-2021-46932 - Resolving Linux Kernel Vulnerability Involving Appletouch and Work Initialization
A recently discovered vulnerability, CVE-2021-46932, has been identified within the Linux kernel's handling of the appletouch - initialize work sequence before device registration. This vulnerability was reported by Syzbot, a security bot that detects kernel bugs using fuzzing techniques. This blog post seeks to examine this vulnerability, share a suitable patch, provide code snippets, and delve into relevant exploit details.
The Problem
The warning reported by Syzbot is triggered in __flush_work() and is caused by work->func being equal to NULL, which indicates a missing work initialization. This issue arises because input_dev->close() calls cancel_work_sync(&dev->work), while dev->work initialization occurs _after_ the input_register_device() call. In essence, the device's work is being canceled before it's even initialized, causing a potential security vulnerability.
The Patch
To address this problem and close the potential security hole, a patch has been developed that moves dev->work initialization before registering the input device. The following code snippet illustrates the proposed changes:
// Prior code structure (vulnerable):
input_set_capability(input_dev, EV_ABS, ABS_PRESSURE);
input_set_abs_params(input_dev, ABS_PRESSURE, , 255, , );
error = input_register_device(input_dev);
if (error)
return error;
INIT_WORK(&dev->work, atp_work);
// Updated code structure (patched):
INIT_WORK(&dev->work, atp_work);
input_set_capability(input_dev, EV_ABS, ABS_PRESSURE);
input_set_abs_params(input_dev, ABS_PRESSURE, , 255, , );
error = input_register_device(input_dev);
if (error)
return error;
By moving the INIT_WORK(&dev->work, atp_work) line before the input_register_device() call, proper work initialization occurs before the input device is canceled. With this change, the vulnerability is effectively patched, and the potential for exploit is mitigated.
Links to Original References
1. Syzbot Report
2. Linux Kernel Mailing List (LKML) Discussion
3. Linux Kernel Git Commit
Exploit Details
While no known specific exploits for CVE-2021-46932 currently exist, the vulnerability could potentially be leveraged by attackers to execute arbitrary code or cause denial of service (DoS) attacks, as improper work initialization may lead to unpredictable behavior. The patch provided above ensures that this vulnerability is addressed, and users are strongly encouraged to update their Linux kernel to a patched version.
Timeline
Published on: 02/27/2024 10:15:07 UTC
Last modified on: 04/10/2024 18:02:06 UTC