A vulnerability within the Linux kernel has been identified and resolved, specifically affecting the __vmbus_open() function in the drivers/hv/vmbus subsystem. The issue is related to a use after free scenario, where a variable ("open_info") is not properly handled, causing potential security concerns. This article will discuss the details of the vulnerability, provide a code snippet demonstrating the solution, and include links to original references.
Details
The vulnerability, tracked as CVE-2021-47049, impacts the __vmbus_open() function within the Linux kernel's Hyper-V Virtual Machine Bus (VMBus) driver. The VMBus driver is responsible for managing communication between the host operating system and its guest virtual machines.
In this case, a memory leak occurs when the "open_info" variable is added to the &vmbus_connection.chn_msg_list. During error handling, the "open_info" variable is erroneously freed without being removed from the list first, leading to a use after free vulnerability. To mitigate this issue, it is necessary to first remove the "open_info" variable from the list and then free it.
Here is the code snippet, which shows the fix applied in the __vmbus_open() function
static int __vmbus_open(struct vmbus_channel *newchannel,
const struct vmbus_channel_open_info *oinfo)
{
struct vmbus_channel_open_msg *open_info;
int ret;
open_info = kzalloc(sizeof(*open_info), GFP_KERNEL);
if (!open_info)
return -ENOMEM;
memcpy(&open_info->channel_msg.open, &oinfo->open, sizeof(oinfo->open));
open_info->channel_msg.header.msgtype = CHANNELMSG_OPENCHANNEL;
init_completion(&open_info->waitevent);
spin_lock(&vmbus_connection.channel_mgmt_lock);
list_add_tail(&open_info->msglistentry, &vmbus_connection.chn_msg_list);
spin_unlock(&vmbus_connection.channel_mgmt_lock);
ret = vmbus_post_msg(newchannel->primary_channel,
&open_info->channel_msg, sizeof(oinfo->open));
if (ret != ) {
spin_lock(&vmbus_connection.channel_mgmt_lock);
list_del(&open_info->msglistentry);
spin_unlock(&vmbus_connection.channel_mgmt_lock);
kfree(open_info);
return ret;
}
wait_for_completion_timeout(&open_info->waitevent, 5*HZ);
spin_lock(&vmbus_connection.channel_mgmt_lock);
list_del(&open_info->msglistentry);
spin_unlock(&vmbus_connection.channel_mgmt_lock);
ret = open_info->vchannelopen_result;
kfree(open_info);
return ret;
}
The above code snippet demonstrates how the "open_info" variable is now being removed from the &vmbus_connection.chn_msg_list before being freed, addressing the use after free vulnerability.
Linux kernel Git commit implementing the fix:
Official CVE details:
https://nvd.nist.gov/vuln/detail/CVE-2021-47049
Conclusion
The Linux kernel vulnerability, CVE-2021-47049, which affected the __vmbus_open() function within the drivers/hv/vmbus subsystem, has been resolved. By properly handling the "open_info" variable during error handling, the use after free issue was mitigated. Updating to a version of the Linux kernel that includes this fix is strongly recommended to prevent potential security risks.
Timeline
Published on: 02/28/2024 09:15:40 UTC
Last modified on: 12/09/2024 19:06:07 UTC