CVE-2021-47127 in Linux
Summary
by MITRE • 03/15/2024
In the Linux kernel, the following vulnerability has been resolved:
ice: track AF_XDP ZC enabled queues in bitmap
Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") silently introduced a regression and broke the Tx side of AF_XDP in copy mode. xsk_pool on ice_ring is set only based on the existence of the XDP prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed. That is not something that should happen for copy mode as it should use the regular data path ice_clean_tx_irq.
This results in a following splat when xdpsock is run in txonly or l2fwd scenarios in copy mode:
[ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030
[ 106.057269] #PF: supervisor read access in kernel mode
[ 106.062493] #PF: error_code(0x0000) - not-present page
[ 106.067709] PGD 0 P4D 0
[ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45
[ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50
[ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00
[ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206
[ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800
[ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800
[ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800
[ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff
[ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018
[ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000
[ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0
[ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 106.192898] PKRU: 55555554
[ 106.195653] Call Trace:
[ 106.198143]
[ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice]
[ 106.205087] ice_napi_poll+0x3e/0x590 [ice]
[ 106.209356] __napi_poll+0x2a/0x160
[ 106.212911] net_rx_action+0xd6/0x200
[ 106.216634] __do_softirq+0xbf/0x29b
[ 106.220274] irq_exit_rcu+0x88/0xc0
[ 106.223819] common_interrupt+0x7b/0xa0
[ 106.227719]
[ 106.229857] asm_common_interrupt+0x1e/0x40
Fix this by introducing the bitmap of queues that are zero-copy enabled, where each bit, corresponding to a queue id that xsk pool is being configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and
checked within ice_xsk_pool(). The latter is a function used for deciding which napi poll routine is executed. Idea is being taken from our other drivers such as i40e and ixgbe.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/07/2025
The vulnerability CVE-2021-47127 affects the Linux kernel's ice driver, which manages Intel Ethernet network adapters. This issue stems from a regression introduced in commit c7a219048e45 that incorrectly handles AF_XDP (AF_PACKET eXDP) zero-copy mode operations on the transmit side. The flaw occurs when the driver attempts to execute zero-copy transmit interrupt handling routines (ice_clean_tx_irq_zc) even when operating in copy mode, which is inappropriate and leads to system instability.
The technical root cause involves improper queue state management within the ice driver's XDP infrastructure. Specifically, the xsk_pool (XDP socket pool) is only initialized based on the presence of an XDP program on the Virtual Station Interface (VSI), without considering whether the mode is copy or zero-copy. This misconfiguration results in the kernel attempting to access a NULL pointer during transmit operations, as evidenced by the kernel oops message showing a NULL pointer dereference at address 0x30. The error originates from the xp_raw_get_dma function, indicating that the driver attempts to process zero-copy transmit buffers when copy mode should be active.
This vulnerability directly maps to CWE-476, which describes NULL pointer dereference, and represents a critical kernel memory safety issue. The operational impact is severe, as it causes kernel panics and system crashes during network traffic processing in copy mode scenarios, particularly affecting applications using xdpsock in txonly or l2fwd modes. The affected system components include the ice driver's transmit interrupt handling mechanisms, NAPI polling routines, and XDP socket pool management functions.
The fix implements a bitmap-based approach to track which queues have zero-copy enabled, similar to patterns used in other Intel network drivers like i40e and ixgbe. This solution introduces proper queue state tracking through ice_xsk_pool_enable and ice_xsk_pool_disable functions, ensuring that the correct interrupt handling routine (ice_clean_tx_irq_zc vs ice_clean_tx_irq) is selected based on the actual queue configuration. The implementation aligns with ATT&CK technique T1059.006 for kernel-level code injection and T1547.001 for kernel module loading, as it modifies core network driver behavior to prevent unauthorized access patterns. This mitigation ensures proper separation between zero-copy and copy mode operations, preventing the kernel from attempting to access uninitialized or invalid memory structures during transmit processing.