CVE-2021-47124 in Linux
Summary
by MITRE • 03/15/2024
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix link timeout refs
WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
io_put_req fs/io_uring.c:2140 [inline]
io_queue_linked_timeout fs/io_uring.c:6300 [inline]
__io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354 io_submit_sqe fs/io_uring.c:6534 [inline]
io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660 __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]
__se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182
io_link_timeout_fn() should put only one reference of the linked timeout request, however in case of racing with the master request's completion first io_req_complete() puts one and then io_put_req_deferred() is called.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/13/2025
The vulnerability identified as CVE-2021-47124 resides within the Linux kernel's io_uring subsystem, specifically addressing a critical reference counting issue that can lead to system instability and potential denial of service conditions. This flaw manifests in the io_uring implementation's handling of linked timeout requests, where improper reference management creates a scenario that can result in system crashes or resource exhaustion. The issue occurs when multiple threads or processes interact with io_uring operations concurrently, particularly when dealing with linked timeout requests that are part of asynchronous I/O operations.
The technical root cause of this vulnerability stems from a race condition in the io_uring subsystem's reference counting mechanism within the kernel's lib/refcount.c component. When io_link_timeout_fn() processes linked timeout requests, it is designed to release only a single reference to the timeout request structure. However, under specific concurrent access conditions, the normal execution flow allows for the same reference to be released twice, leading to a double-free condition or invalid memory access. The kernel's crash trace indicates that the issue originates from refcount_warn_saturate function in lib/refcount.c, which is triggered when reference counts become saturated or invalid due to improper decrement operations. This behavior directly violates the fundamental principles of reference counting as defined in the kernel's memory management subsystem.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling malicious actors to exploit the race condition for privilege escalation or system denial of service. When multiple concurrent io_uring operations occur, particularly involving linked timeout requests, the improper reference handling can cause the kernel to attempt to free memory that has already been freed or access invalid memory locations. This can result in kernel oops, system panics, or more insidiously, allow for memory corruption that could be leveraged for privilege escalation attacks. The vulnerability affects systems running Linux kernel versions that include the io_uring subsystem, making it particularly relevant for servers and high-performance computing environments that rely heavily on asynchronous I/O operations. According to CWE classification, this vulnerability corresponds to CWE-129: Improper Validation of Array Index, as it involves improper handling of reference counts that can lead to memory access violations, and potentially CWE-476: NULL Pointer Dereference when the reference counting mechanism fails.
Mitigation strategies for CVE-2021-47124 require immediate kernel updates to patched versions that address the reference counting race condition in the io_uring implementation. System administrators should prioritize applying the relevant security patches from their distribution vendors or directly from the Linux kernel stable releases. For environments where immediate patching is not feasible, monitoring for kernel oops messages or system instability related to io_uring operations can help detect potential exploitation attempts. The fix implemented in the patched kernel versions addresses the specific race condition by ensuring that io_link_timeout_fn() properly manages its reference counting operations and prevents the double release scenario that was causing the system crashes. Organizations should also consider implementing runtime monitoring of io_uring operations to detect anomalous behavior patterns that might indicate exploitation attempts. From an ATT&CK framework perspective, this vulnerability aligns with T1499.004: Endpoint Denial of Service, as it can be exploited to cause system instability and service disruption, and potentially T1068: Exploitation for Privilege Escalation if the memory corruption can be leveraged for code execution. The vulnerability demonstrates the critical importance of proper synchronization mechanisms in kernel-level code and highlights the need for comprehensive testing of concurrent access patterns in high-performance subsystems.