CVE-2021-47012 in Linuxinfo

Summary

by MITRE • 02/28/2024

In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix a use after free in siw_alloc_mr

Our code analyzer reported a UAF.

In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).

My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {}
section, to avoid the uaf.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/20/2025

The vulnerability described in CVE-2021-47012 represents a critical use-after-free condition within the Linux kernel's RDMA software interface implementation. This flaw exists in the siw_alloc_mr function which handles memory registration operations for RDMA (Remote Direct Memory Access) connections. The issue arises from improper memory management during the allocation process where a pointer reference becomes invalid before the memory it points to is actually freed. The vulnerability was identified through automated code analysis tools that detected the unsafe memory access pattern.

The technical implementation of this vulnerability occurs within the siw_mr_add_mem function where memory allocation and assignment operations are not properly sequenced. When siw_alloc_mr calls siw_mr_add_mem, the function assigns the memory reference mem to mr->mem before performing error checking on the xa_alloc_cyclic() operation. If this allocation fails, the mem variable is immediately freed through kfree(mem) while mr->mem continues to reference the now-freed memory location. This creates a scenario where the freed memory pointer remains accessible and can be dereferenced later during error handling, specifically in the siw_mr_drop_mem function which processes the mr->mem reference in the err_out code path.

The operational impact of this use-after-free vulnerability extends beyond simple memory corruption and presents significant security implications for systems utilizing RDMA functionality. Attackers could potentially exploit this condition to execute arbitrary code with kernel privileges by manipulating the memory layout or by triggering the use-after-free scenario through crafted RDMA operations. The vulnerability affects systems running Linux kernels with RDMA software interface support, particularly those implementing the siw (software RDMA) driver. The flaw demonstrates poor memory management practices that violate fundamental security principles and can lead to privilege escalation, system instability, or complete system compromise depending on the exploitation context.

The mitigation strategy for CVE-2021-47012 involves applying the patch that reorders the memory assignment operations to ensure proper sequencing of memory allocation, error checking, and reference assignment. The fix moves the mr->mem = mem assignment statement to occur after the xa_alloc_cyclic() error check, preventing the scenario where a freed memory reference remains accessible. This approach aligns with security best practices for memory management in kernel space and follows the principle of defensive programming. The solution addresses the underlying CWE-416 vulnerability category related to use-after-free conditions and helps prevent exploitation through the ATT&CK technique of privilege escalation. System administrators should prioritize applying the kernel update containing this fix to protect against potential exploitation, particularly in environments where RDMA operations are actively used and where the system may be exposed to untrusted network traffic or users.

Reservation

02/27/2024

Disclosure

02/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00268

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!