CVE-2021-46995: Linux Kernel Vulnerability Resolved in can: mcp251xfd: mcp251xfd_probe(): Fixing an Error Pointer Dereference in Probe

The Linux kernel is an essential and powerful part of many computing systems and is used in a wide variety of devices and platforms. Ensuring the stability and security of the Linux kernel is crucial to maintaining the overall strength of the systems that utilize it. Recently, a vulnerability has been identified and resolved within the kernel relating to an error pointer dereference in the "can: mcp251xfd: mcp251xfd_probe()" function. This article will explore the details of this vulnerability, CVE-2021-46995, and how it has been addressed.

Description of Vulnerability: Error Pointer Dereference

The vulnerability in question is an error pointer dereference that occurs in the "can: mcp251xfd: mcp251xfd_probe()" function of the Linux kernel when the kernel is interacting with the mcp251xfd CAN (Controller Area Network) device. This issue led to a potential crash of the system, known as an "Oops," which can cause undefined behavior and may lead to exploitation by malicious actors.

The issue was introduced inadvertently when the code was converted to use the "dev_err_probe()" function. During the conversion, a necessary "return" statement was accidentally removed. This removal meant that if the "devm_clk_get()" command resulted in an error, the "clk_get_rate()" function would be called on the next line, causing the "Oops" crash to occur.

Patch and Code Snippet

To address this vulnerability, a patch was created that restores the missing "return" statement. Here is a snippet of the patch illustrating the fix:

  // Before patch:
  if (IS_ERR(clk)) {
    dev_err_probe(dev, PTR_ERR(clk), "No CAN FD capable CAN controller clock");
-  }
+  } else {
    mcp251xfd->clk = clk;
    mcp251xfd->clk_frequency = clk_get_rate(clk);
  }

As you can see from the code snippet, the patch adds a "}" to close off the "if" statement and an "else" statement to ensure that the "mcp251xfd->clk_frequency = clk_get_rate(clk)" call is executed only if there isn't an error with "devm_clk_get()".

Original References

The following links provide additional information about the vulnerability, patch, and discussions around the issue:

1. Linux Kernel Mailing List (LKML) discussion on the vulnerability: https://lore.kernel.org/all/20210913101556.271475-1-tzungbi@google.com/
2. Patch diff for the fix in the Linux kernel source code: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=33faaff5e50d286426dc30102d4f106fe87af3a

Conclusion: Importance of Continuous Improvement

CVE-2021-46995 serves as yet another reminder of the importance of constant vigilance and regular patching of critical components such as the Linux kernel. Thanks to the efforts of dedicated developers and security professionals, this vulnerability has been addressed. However, it is essential for system administrators, developers, and users to be aware of such vulnerabilities and ensure that their systems are regularly updated with the latest patches. This practice will help maintain security and reduce the risk of malicious exploitation in an ever-evolving technological landscape.

Timeline

Published on: 02/28/2024 09:15:37 UTC
Last modified on: 05/29/2024 05:00:12 UTC