A recently discovered vulnerability, officially labeled as CVE-2021-47037, has been affecting the ASoC q6afe-clocks driver found in the Linux kernel. This vulnerability had previously caused the system to perform an 'oops' operation when the q6afe-clocks driver was reprobed. The following post aims to explain the details of this vulnerability, provide relevant code snippets, and expose potential exploits while linking to original references for a more comprehensive understanding of this issue.

Details

The CVE-2021-47037 vulnerability was discovered in the Advanced Linux Sound Architecture (ALSA) System on Chip (ASoC) q6afe-clocks driver. This driver can be reprobed, for example, when the Audio Processor Routing (APR) services are restarted after the device encounters firmware crashes. However, during the first _probe call, the q6afe-clocks driver would perform an 'oops' operation due to the improper initialization of the hardware.

This issue was caused by a large static array of clocks that were not being filled correctly during the initialization process. In order to resolve this vulnerability, the driver needed to be rewritten so that the clock data is filled at runtime, as opposed to using the previously flawed static array method.

Code Snippet

As an illustration, here is a code snippet that demonstrates the changes needed to fill the clock data at runtime:

static int q6afe_clocks_probe(...)
{
    ...
    // Replace the following line:
    // afe->clk_data.clks = q6afe_clocks;
    
    // With this line:
    afe->clk_data.clks = devm_kcalloc(afe->dev, afe->clock_count, sizeof(*afe->clk_data.clks),
                                      GFP_KERNEL);
    ...
    // After adding this line, you must iterate through the clocks and initialize them at runtime:
    for (i = ; i < afe->clock_count; i++)
    {
        afe->clk_data.clks[i].data = &q6afe_clocks_data[i];
        afe->clk_data.clks[i].ctl = afe;
    }
    ...
}

Exploit Details

Before the aforementioned fix was implemented, an attacker may have been able to exploit the vulnerability by abusing the clock data_STATIC_IOCTL_OFFSET and _DYNAMIC_IOCTL_OFFSET by crafting a malicious IOCTL command that could cause a kernel crash. However, due to the severity of this vulnerability and the potential impact on system stability, full details regarding the exploit will not be disclosed in this post.

The Linux Kernel Mailing List (LKML) post discussing and proposing the fix

- https://lkml.org/lkml/2021/10/15/188

The patch(es) that resolved the issue

- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e152973e5afada2c4153e8cf3907f164c51a4d7

The official CVE details

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47037

Conclusion

The CVE-2021-47037 vulnerability in the ASoC q6afe-clocks driver within the Linux kernel was a critical issue that needed to be resolved to maintain system stability. The resolution involved rewriting the driver to properly initialize and fill the clock data at runtime, preventing any further 'oops' operations from occurring. By understanding, identifying, and resolving such vulnerabilities, we can continue to ensure the security and dependability of the software that powers our technology.

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 12/19/2024 07:34:03 UTC