CVE-2021-47047: Linux Kernel Vulnerability Fixed in SPI Controller

A critical vulnerability in the Linux kernel has recently been discovered and resolved. The vulnerability is specifically related to the Serial Peripheral Interface (SPI) controller and the way it handles memory allocation in Direct Memory Access (DMA) mode. This article explores the details of the vulnerability, code snippets demonstrating the issue and fix, and provides references to original sources for further understanding.

Vulnerability Details

The vulnerability is identified as CVE-2021-47047 and concerns the spi-zynqmp-gqspi driver within the Linux kernel. The SPI controller supports a 44-bit address space on the AXI bus in DMA mode. When memory allocation using dma_map_single fails, the original code continues with DMA operations based on invalid addresses. This could lead to potential crashes, system instability, or in worst cases, arbitrary code execution by attackers.

A specific issue arises when reading a large block of data from flash. The system will generate a crash with an error message indicating that the swiotlb buffer is full and memory is not mapped, as shown in the excerpt below:

[  123.633577] zynqmp-qspi fff000.spi: swiotlb buffer is full (sz: 4194304 bytes), total 32768 (slots), used  (slots)
[  123.644230] zynqmp-qspi fff000.spi: ERR:rxdma:memory not mapped
[  123.784625] Unable to handle kernel paging request at virtual address 00000000003fffc
...
[  123.834586] Internal error: Oops: 96000145 [#1] PREEMPT SMP

Fix:
The fix is simple and straightforward. When dma_map_single fails, the function should return -ENOMEM immediately, avoiding any further DMA operations based on invalid addresses. Additionally, the dma_addr_t width should be set to 44-bit to prevent using a swiotlb mapping.

By implementing these changes, the vulnerability is resolved and the potential for crashes and system instability is significantly reduced.

References

The complete patch for this vulnerability can be found in the following commit of the Linux kernel repository: linux/kernel/git/torvalds/linux.git: spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails

For more details on the vulnerability itself, refer to the official CVE entry at the MITRE Corporation's website: CVE-2021-47047

Conclusion

The Linux kernel vulnerability CVE-2021-47047 has been resolved with a simple code change that ensures proper error handling and memory allocation in the Serial Peripheral Interface (SPI) controller. It is crucial that users and developers using the affected versions of the Linux kernel apply the patch to protect their systems from potential crashes and exploit attempts. As always, it is essential to stay up to date with security patches and advisories to ensure the highest level of system protection.

Timeline

Published on: 02/28/2024 09:15:40 UTC
Last modified on: 05/29/2024 05:01:11 UTC