CVE-2021-47076 in Linuxinfo

Summary

by MITRE • 03/02/2024

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Return CQE error if invalid lkey was supplied

RXE is missing update of WQE status in LOCAL_WRITE failures. This caused the following kernel panic if someone sent an atomic operation with an explicitly wrong lkey.

[leonro@vm ~]$ mkt test
test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]
Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]
Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff RSP: 0018:ffff8880158af090 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_rcv+0xb11/0x1df0 [rdma_rxe]
rxe_loopback+0x157/0x1e0 [rdma_rxe]
rxe_responder+0x5532/0x7620 [rdma_rxe]
rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_rcv+0x9c8/0x1df0 [rdma_rxe]
rxe_loopback+0x157/0x1e0 [rdma_rxe]
rxe_requester+0x1efd/0x58c0 [rdma_rxe]
rxe_do_task+0x130/0x230 [rdma_rxe]
rxe_post_send+0x998/0x1860 [rdma_rxe]
ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]
ib_uverbs_write+0x847/0xc80 [ib_uverbs]
vfs_write+0x1c5/0x840 ksys_write+0x176/0x1d0 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 11/03/2025

The vulnerability identified as CVE-2021-47076 affects the Linux kernel's RDMA over Ethernet (RXE) implementation, specifically within the completion handling mechanism for work queue elements. This flaw stems from an incomplete update of work queue element status during local write operations, creating a condition where invalid local keys (lkeys) are not properly validated before atomic operations are processed. The issue manifests as a kernel panic when an atomic operation is submitted with an explicitly incorrect lkey, exposing a critical gap in the RXE driver's error handling and validation procedures.

The technical root cause lies in the rxe_completer function within the rdma_rxe kernel module, where the code fails to properly update the work queue element status when local write failures occur. This deficiency creates a scenario where the system continues processing with invalid state information, leading to a kernel panic at line 740 of rxe_comp.c. The vulnerability operates at the kernel level, specifically within the Infiniband RDMA subsystem, where RXE provides software-based RDMA capabilities. The panic occurs during the completion processing of RDMA operations, indicating a failure in the error propagation mechanism that should have caught and handled the invalid lkey condition gracefully.

This vulnerability represents a significant security risk as it can be exploited to cause denial of service through kernel panic conditions, effectively crashing the target system and disrupting critical network services. The impact extends beyond simple system availability, as the flaw allows for potential privilege escalation or information disclosure depending on the execution context. The ATT&CK framework categorizes this under privilege escalation and denial of service techniques, specifically mapping to T1499.004 (Network Denial of Service) and T1547.001 (Registry Run Keys/Startup Folder). The CWE classification for this vulnerability aligns with CWE-248 (Uncaught Exception) and CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), as the flaw involves improper handling of exceptional conditions and shared resource access without proper synchronization mechanisms.

Mitigation strategies for CVE-2021-47076 require immediate kernel updates to versions containing the patched RDMA RXE driver implementation. System administrators should prioritize patching affected systems, particularly those running kernel versions prior to 5.13.0-rc1, as the vulnerability is present in the mainline kernel code. Organizations should implement monitoring for kernel panic events related to RDMA operations and establish incident response procedures for handling such denial of service conditions. Additionally, network segmentation and access controls should be implemented to limit exposure to potential attackers who might attempt to exploit this vulnerability through RDMA-enabled network interfaces. The fix implemented in the patched kernel versions ensures proper status updates for work queue elements during local write failures, preventing the kernel panic condition that occurred when invalid lkeys were processed during atomic operations.

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!