CVE-2021-47435 in Linux
Summary
by MITRE • 05/22/2024
In the Linux kernel, the following vulnerability has been resolved:
dm: fix mempool NULL pointer race when completing IO
dm_io_dec_pending() calls end_io_acct() first and will then dec md in-flight pending count. But if a task is swapping DM table at same time this can result in a crash due to mempool->elements being NULL:
task1 task2 do_resume ->do_suspend ->dm_wait_for_completion bio_endio ->clone_endio ->dm_io_dec_pending ->end_io_acct ->wakeup task1 ->dm_swap_table ->__bind ->__bind_mempools ->bioset_exit ->mempool_exit ->free_io
[ 67.330330] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000 ...... [ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)
[ 67.330510] pc : mempool_free+0x70/0xa0
[ 67.330515] lr : mempool_free+0x4c/0xa0
[ 67.330520] sp : ffffff8008013b20
[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004
[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8
[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800
[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800
[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80
[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c
[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd
[ 67.330563] x15: 000000000093b41e x14: 0000000000000010
[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555
[ 67.330574] x11: 0000000000000001 x10: 0000000000000001
[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000
[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a
[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001
[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8
[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970
[ 67.330609] Call trace:
[ 67.330616] mempool_free+0x70/0xa0
[ 67.330627] bio_put+0xf8/0x110
[ 67.330638] dec_pending+0x13c/0x230
[ 67.330644] clone_endio+0x90/0x180
[ 67.330649] bio_endio+0x198/0x1b8
[ 67.330655] dec_pending+0x190/0x230
[ 67.330660] clone_endio+0x90/0x180
[ 67.330665] bio_endio+0x198/0x1b8
[ 67.330673] blk_update_request+0x214/0x428
[ 67.330683] scsi_end_request+0x2c/0x300
[ 67.330688] scsi_io_completion+0xa0/0x710
[ 67.330695] scsi_finish_command+0xd8/0x110
[ 67.330700] scsi_softirq_done+0x114/0x148
[ 67.330708] blk_done_softirq+0x74/0xd0
[ 67.330716] __do_softirq+0x18c/0x374
[ 67.330724] irq_exit+0xb4/0xb8
[ 67.330732] __handle_domain_irq+0x84/0xc0
[ 67.330737] gic_handle_irq+0x148/0x1b0
[ 67.330744] el1_irq+0xe8/0x190
[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538
[ 67.330759] cpuidle_enter_state+0x1fc/0x398
[ 67.330764] cpuidle_enter+0x18/0x20
[ 67.330772] do_idle+0x1b4/0x290
[ 67.330778] cpu_startup_entry+0x20/0x28
[ 67.330786] secondary_start_kernel+0x160/0x170
Fix this by: 1) Establishing pointers to 'struct dm_io' members in dm_io_dec_pending() so that they may be passed into end_io_acct() _after_ free_io() is called. 2) Moving end_io_acct() after free_io().
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/01/2025
The vulnerability described in CVE-2021-47435 resides within the Linux kernel's device mapper subsystem, specifically in the handling of I/O operations during dynamic table management. This flaw manifests as a race condition involving memory pools and I/O completion tracking, leading to a potential kernel crash due to a NULL pointer dereference. The device mapper is a crucial component that allows for logical volume management, snapshotting, and other advanced storage functionalities, making this vulnerability particularly significant for systems relying on dynamic storage configurations.
The root cause of the vulnerability stems from the order of operations in the dm_io_dec_pending() function. During normal I/O completion processing, the function first invokes end_io_acct() to account for I/O statistics and then decrements the in-flight pending count. However, when a concurrent task is performing a table swap operation, specifically during the dm_swap_table() sequence, the memory pool associated with the I/O operation may be deallocated. This occurs because the dm_swap_table() function calls dm_wait_for_completion(), which eventually leads to bioset_exit() and mempool_exit(), effectively nullifying the mempool->elements pointer. When the original I/O completion path attempts to call mempool_free() on a NULL pointer, a kernel NULL pointer dereference occurs, resulting in an immediate system crash.
This vulnerability directly maps to CWE-476, which describes NULL Pointer Dereference, and aligns with ATT&CK technique T1547.001, which involves privilege escalation through kernel exploits. The race condition is particularly dangerous because it can be triggered by concurrent operations, making it exploitable in environments where dynamic storage management is actively used. The crash occurs during the bio_endio() path, which is fundamental to block I/O completion handling, indicating that any I/O operation could potentially trigger this condition. The call trace shows that the error originates from mempool_free() attempting to dereference a NULL pointer, confirming that the memory pool has been freed while I/O completion is still in progress.
The fix implemented addresses the race condition by reordering the operations within dm_io_dec_pending() to ensure proper synchronization between memory pool deallocation and I/O accounting. Specifically, the solution establishes pointers to struct dm_io members before calling free_io(), ensuring that all necessary data is preserved for end_io_acct() even after the memory pool has been freed. Additionally, the fix moves the end_io_acct() call to occur after free_io(), preventing the scenario where I/O accounting attempts to access freed memory. This approach prevents the NULL pointer dereference while maintaining the integrity of I/O statistics tracking. The mitigation strategy is minimal and focused, addressing only the specific race condition without altering the broader device mapper functionality, thus maintaining system stability and performance while eliminating the crash vector.