CVE-2021-47012: Fixing a Use After Free Vulnerability in Linux Kernel's RDMA/siw Module

A vulnerability has been recently resolved in the Linux kernel, specifically in the RDMA/siw (Remote Direct Memory Access/Software iWARP) module. The vulnerability is classified as a Use After Free (UAF) issue and can cause undesirable consequences, such as crashes, data corruption or, in some cases, remote code execution. In this post, we are going to discuss the details of this vulnerability as well as the patch that was proposed to fix it.

Vulnerability Details (CVE-2021-47012)

The vulnerability exists in the code path responsible for allocating memory regions used by the RDMA module. In the siw_alloc_mr() function, there is a call to siw_mr_add_mem(mr,..). The implementation of siw_mr_add_mem() assigns 'mem' to mr->mem and then frees the 'mem' variable via kfree(mem) if xa_alloc_cyclic() fails. However, mr->mem still points to the freed object. The execution continues until the err_out branch of siw_alloc_mr, where the freed mr->mem is used in siw_mr_drop_mem(mr), causing the UAF vulnerability.

Here is a simplified code snippet to illustrate the vulnerability

int siw_alloc_mr( ... ) {
    ...
    mem = kzalloc( ... );
    ...
    siw_mr_add_mem(mr, ...);
    
    ...
    err_out:
        siw_mr_drop_mem(mr);
    ...
}

void siw_mr_add_mem( ... ) {
    ...
    mr->mem = mem;
    ...
    
    if (xa_alloc_cyclic(..) < ) {
        kfree(mem);
    }
}

Proposed Patch

To fix this vulnerability, the proposed patch moves the statement "mr->mem = mem" after the if (xa_alloc_cyclic(..) < ) {} section. This avoids the UAF scenario, ensuring that if 'mem' is freed due to xa_alloc_cyclic() failure, mr->mem would not point to the freed object. The updated code snippet after applying the patch would look like this:

void siw_mr_add_mem( ... ) {
    ...
    
    if (xa_alloc_cyclic(..) < ) {
        kfree(mem);
    } else {
        mr->mem = mem;
    }
}

Original References

It is always a good idea to consult the original references to understand the complete context of the vulnerability and the proposed patch. For this issue, you can find the commit message by the developer and the proposed patch at the following link:

Linux Kernel Git Commit: Fixing UAF vulnerability in RDMA/siw module

Conclusion

Fixing vulnerabilities in widely used software like the Linux kernel can help prevent potential exploitation and protect the systems where it is deployed. This particular UAF vulnerability in the RDMA/siw module was resolved by adjusting the code to ensure that the kernel does not access memory that has already been freed. Regularly updating your Linux kernel and applying patches can help mitigate the risks associated with such vulnerabilities and maintain system security.

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 05/29/2024 05:00:30 UTC