CVE-2021-47035 - Resolving Inconsistencies in Linux Kernel's IOMMU VT-d by Removing Write-Only Permissions on Second-Level Paging Entries

A recent vulnerability (CVE-2021-47035) was discovered within the Linux kernel that affects the IOMMU VT-d second-level paging entries. The patch provided for this vulnerability resolves the inconsistency between first and second-level paging permissions, ultimately enhancing system security and stability. In this post, we'll dive deep into the context of the issue, the relevant code snippet, official references, and exploit details.

Background

The Intel Virtualization Technology for Directed I/O (VT-d) is a feature that improves system performance and security by allowing hardware devices, specifically peripherals, to directly access memory without involving the CPU or OS. This process is done through I/O memory management unit (IOMMU).

In Linux, the IOMMU driver is designed to handle page table entries that control the virtual-to-physical translation for these device accesses. First and second-level paging are two different mechanisms that can be used for the same translation. In some cases, a mismatch in the handling of permissions between these levels could lead to security vulnerabilities or system instability.

The Vulnerability

When the first-level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. However, the Write-Only permission is not supported, as the PRESENT bit (implying Read permission) should always be set. When using the second level, the code was still configured to give separate permissions allowing Write-Only, causing inconsistency and the potential for unexpected behavior.

To have a consistent permission behavior between first and second-level paging, the patch removes the Write-Only permission configuration on second-level paging entries.

Code Snippet

In this code snippet from the patch, you can see the change made in the respective conditional blocks to remove the Write-Only permissions for second-level page tables:

- if (prot & _PAGE_PRESENT) {
-   if (prot & _PAGE_RW)
-      set_pte_authentication(&ae, SPT_PTE_DMA_READ | SPT_PTE_DMA_WRITE);
-   else
-      set_pte_authentication(&ae, SPT_PTE_DMA_READ);
- } else {
-   if (prot & _PAGE_RW)
-      set_pte_authentication(&ae, SPT_PTE_DMA_WRITE);
-   else
-      set_pte_authentication(&ae, );
-}

+ if (prot & _PAGE_PRESENT)
+    set_pte_authentication(&ae, SPT_PTE_DMA_READ |
+                              ((prot & _PAGE_RW) ? SPT_PTE_DMA_WRITE : ));
+ else
+    set_pte_authentication(&ae, );

With this modification, the Write-Only permission will no longer be allowed for second-level paging entries when the first-level page table is used for IOVA translation.

Official References

The official Linux kernel commit can be found here: iommu/vt-d: Remove WO permissions on second-level paging entries

Exploit Details

Currently, there are no known active exploits targeting this vulnerability. However, it is essential to apply the provided patch for the Linux kernel to avoid potential security issues and inconsistencies in the handling of IOMMU VT-d paging permissions.

Conclusion

This vulnerability (CVE-2021-47035) showcases the requirement for continuous review and updates in the Linux kernel to ensure compatibility, security, and system stability. By addressing and resolving this inconsistency between first and second-level paging permissions, system administrators and developers using the Linux kernel can enjoy a more reliable and secure experience.

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 12/19/2024 07:34:01 UTC