In the Linux kernel ecosystem, vulnerabilities are frequently identified, reported, and resolved to enhance system security. In this exclusive post, we dive into the details of the CVE-2021-46953 vulnerability that arose in the Advanced Configuration and Power Interface (ACPI) Generic Timer Description Table (GTDT) driver. This vulnerability could lead to corruption of interrupt mappings when the watchdog probe failed. We will present the analysis, links to original references, and the solution that fixes this issue.

Problem Description

In the Linux kernel, the ACPI GTDT driver was observed to exhibit unusual behavior when dealing with interrupt mappings on watchdog probe failure. The driver unmapped the interrupt it mapped earlier but never checked if the mapping truly succeeded.

Even worse, when the firmware reports an illegal interrupt number overlapping with the Generic Interrupt Controller (GIC) Software Generated Interrupt (SGI) range, it could result in Interprocessor Interrupt (IPI) being unmapped, causing further problems.

The code snippet below demonstrates the issue in the GTDT driver

static int gtdt_probe(struct platform_device *pdev)
{
[...]
	error = acpi_gtdt_map_gic_sgi_channel(gtdt, nr_irqs);
	if (error) {
		acpi_gtdt_unmap_all(nr_irqs);
		return error;
	}
	device_property_read_u32(&pdev->dev, "watchdog-device-number", &wdt.prop);
	wdt_timer->interrupt = arch_timer_get_of_irq(pdev->dev.of_node, wdt.prop);
[...]
}

It is crucial to address this vulnerability to maintain system integrity and avoid instability caused by interrupt mapping issues when handling ACPI GTDT probes.

Original References

The vulnerability was discovered and reported by Dann Frazier, and the details can be found on the Linux kernel commit.

The complete patch that resolves this vulnerability is available at this Linux Kernel Mailing List (LKML) post.

Exploit Details

To exploit this vulnerability, an attacker would need to trigger the GTDT driver probe with invalid firmware properties, causing it to unmap the interrupt without checking whether the mapping actually succeeded.

If the firmware reports an illegal interrupt number overlapping with the GIC SGI range, it could lead to IPI unmapping and create further issues, possibly resulting in denial of service or even system instability.

Solution

The solution involves reworking the driver to check whether the interrupt has been mapped correctly before attempting to unmap it.

The following code snippet demonstrates the changes made to fix the vulnerability

static int gtdt_probe(struct platform_device *pdev)
{
[...]
	error = acpi_gtdt_map_gic_sgi_channel(gtdt, nr_irqs);
	if (error) {
		acpi_gtdt_unmap_all(nr_irqs);
		return error;
	}
	device_property_read_u32(&pdev->dev, "watchdog-device-number", &wdt.prop);
	wdt_timer->interrupt = arch_timer_get_of_irq(pdev->dev.of_node, wdt.prop);
	if (!wdt_timer->interrupt.valid) {
		acpi_gtdt_unmap_all(nr_irqs);
		return -ENODEV;
	}
[...]
}

These changes ensure that the driver checks the success of the interrupt mapping before attempting to unmap it, thus eliminating the vulnerability and mitigating the risk of interrupt mapping corruption and other adverse outcomes on the system's stability.

Conclusion

The CVE-2021-46953 vulnerability in the ACPI GTDT driver in the Linux kernel has been resolved, ensuring system stability and improved security in handling interrupt mappings. The fix involves checking the success of the interrupt mapping before attempting to unmap it, protecting the system from corruption and potential instability. The Linux kernel community remains committed to identifying, reporting, and resolving vulnerabilities, providing a robust, secure, and reliable operating system.

Timeline

Published on: 02/27/2024 19:04:06 UTC
Last modified on: 04/10/2024 20:15:31 UTC