CVE-2021-47032: A Fix for the Linux Kernel Vulnerability in mt76: mt7915 that Leaks DMA Mapping Entries

Hello everyone! Today, we will be discussing a vulnerability that has recently been resolved in the Linux Kernel under the identification number CVE-2021-47032. The issue lies within the mt76 sub-system, specifically within the mt7915 driver, and pertains to the DMA (Direct Memory Access) mapping entries leakage.

As some of you may know, mt76 is an open-source driver for MediaTek wireless chipsets primarily found in routers and Wi-Fi adapters. The mt7915, in particular, is one of the most recent wireless chips supported by the mt76 driver.

The vulnerability is specifically related to how the kernel unmaps DMA mappings when handling TX (transmitting) sk_buff objects (skb). The resolution of this issue involves correctly unmapping the first pointer in the Transmission Path (txp), preventing it from leaking DMA mappings entries.

Here's a snippet of the patched code to give you more context

static void mt7915_txp_skb_unmap(struct mt7915_dev *dev, struct sk_buff *skb)
{
    ...
    for (i = ; i < skb_shinfo(skb)->nr_frags; i++) {
        skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
        dma_addr_t addr = *((dma_addr_t *)&skb->cb[MT_DMA_ADDR_OFFS] + i);
        dma_unmap_page(dev->mt76.dev, addr, skb_frag_size(frag),
                       DMA_TO_DEVICE);
    }
    /* The fix: unmapping the first pointer in txp */
    dma_unmap_single(dev->mt76.dev, *(((dma_addr_t *)&skb->cb[MT_DMA_ADDR_OFFS])),
                     skb_headlen(skb), DMA_TO_DEVICE);
}

The fix, shown above in the last three lines of the code snippet, ensures that the first pointer in the txp is properly unmapped to avoid leakage of DMA mapping entries.

This patch has been merged into the mainline kernel since version 5.15-rc1 and backported to stable kernel versions as advised by the upstream maintainers. For more information about the vulnerability and the patch, kindly refer to the following references:

1. CVE-2021-47032: NVD Vulnerability Database Entry
2. Linux Kernel Git Repository: Commit implementing the fix
3. mt76 GitHub Repository

To exploit this vulnerability, an attacker would need to have the capability to manipulate or control the skb objects directly, which is quite difficult in real-world scenarios without administrative privileges. However, it is still essential to apply the patch as soon as possible to avoid any potential issues that could arise from this leakage.

In summary, CVE-2021-47032 is a resolved vulnerability within the Linux kernel, specifically in the mt76: mt7915 driver, that caused DMA mapping entries to leak. The fix is available in Linux kernel 5.15-rc1 and has been backported to appropriate stable versions. We recommend updating your kernel to ensure you are protected against this vulnerability. As always, keeping your system patched and up-to-date is one of the most critical steps in cybersecurity. Stay safe out there!

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 05/29/2024 05:00:52 UTC