CVE-2021-47482 in Linuxinfo

Summary

by MITRE • 05/22/2024

In the Linux kernel, the following vulnerability has been resolved:

net: batman-adv: fix error handling

Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was in wrong error handling in batadv_mesh_init().

Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case of any batadv_*_init() calls failure. This approach may work well, when there is some kind of indicator, which can tell which parts of batadv are initialized; but there isn't any.

All written above lead to cleaning up uninitialized fields. Even if we hide ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]

To fix these bugs we can unwind batadv_*_init() calls one by one. It is good approach for 2 reasons: 1) It fixes bugs on error handling path 2) It improves the performance, since we won't call unneeded batadv_*_free() functions.

So, this patch makes all batadv_*_init() clean up all allocated memory before returning with an error to no call correspoing batadv_*_free() and open-codes batadv_mesh_free() with proper order to avoid touching uninitialized fields.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/22/2024

The vulnerability described in CVE-2021-47482 affects the Linux kernel's batman-adv networking module, which implements the Better Approach to Mobile Ad-hoc Networking protocol. This protocol enables mesh networking capabilities in wireless local area networks and is widely used in enterprise and consumer networking environments. The issue stems from improper error handling within the batadv_mesh_init() function, which creates a critical flaw in the module's initialization sequence.

The technical flaw manifests when the batadv_mesh_init() function encounters failures during initialization of various sub-components within the batman-adv module. Previously, the implementation would call batadv_mesh_free() regardless of which specific initialization step had failed, without any mechanism to track which components had been successfully initialized. This approach violates fundamental software engineering principles and creates a dangerous state where cleanup operations attempt to free memory and resources that were never properly allocated, leading to undefined behavior and potential system crashes.

This vulnerability specifically triggers an ODEBUG warning in the batadv_nc_mesh_free() function, where the system attempts to clean up uninitialized fields within the network coding subsystem. The problem becomes particularly severe when the batadv_nc_purge_paths() function encounters a null hash pointer, resulting in a general protection fault that can crash the entire system. The root cause lies in the lack of proper state tracking during initialization, which is a common pattern identified in CWE-459 - Incomplete Cleanup and CWE-691 - Insufficient Control Flow Management.

The operational impact of this vulnerability is significant for systems running Linux kernels with batman-adv support, particularly in environments where mesh networking is utilized for critical infrastructure. An attacker could potentially exploit this flaw to cause denial of service through system crashes, or in more sophisticated scenarios, leverage the uninitialized memory access patterns to execute arbitrary code. The vulnerability affects systems using the batman-adv kernel module for wireless mesh networking, which includes various enterprise routers, wireless access points, and embedded networking devices.

The fix implemented in this patch addresses the fundamental error handling approach by implementing a proper unwinding mechanism for the initialization sequence. Instead of calling batadv_mesh_free() on any failure, the patch ensures that each batadv_*_init() function cleans up only the resources it has allocated before returning an error. This approach aligns with ATT&CK technique T1068 - Exploitation for Privilege Escalation and follows best practices for defensive programming. The solution improves both security and performance by eliminating unnecessary cleanup operations while ensuring that no uninitialized fields are accessed during error handling paths. The patch also addresses performance concerns by avoiding redundant calls to cleanup functions that may not be needed, making the initialization process more efficient and robust.

Reservation

05/22/2024

Disclosure

05/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00739

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!