CVE-2021-28972 Overview
CVE-2021-28972 is a buffer overflow vulnerability in the Linux kernel's RPA PCI Hotplug driver (drivers/pci/hotplug/rpadlpar_sysfs.c). The flaw exists in kernel versions through 5.11.8 and allows a privileged local attacker to write data directly to the kernel stack frame by providing an oversized device name through userspace interfaces. This occurs because the add_slot_store and remove_slot_store functions mishandle drc_name null termination.
Critical Impact
Local privileged attackers can exploit improper null termination handling to write arbitrary data to the kernel stack, potentially leading to privilege escalation, code execution, or system compromise.
Affected Products
- Linux Kernel (through version 5.11.8)
- Fedora 32, 33, and 34
- NetApp Cloud Backup
- NetApp FAS/AFF Baseboard Management Controller
- NetApp SolidFire Baseboard Management Controller Firmware
Discovery Timeline
- 2021-03-22 - CVE-2021-28972 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-28972
Vulnerability Analysis
This buffer overflow vulnerability resides in the RPA PCI Hotplug driver's sysfs interface, which is responsible for managing hot-pluggable PCI slots on IBM POWER systems. The vulnerability stems from improper handling of user-supplied device names when interacting with the driver through the sysfs filesystem.
When a user with sufficient privileges writes a new device name to the driver via the add_slot_store or remove_slot_store functions, the code fails to properly ensure null termination of the drc_name parameter. This oversight allows data larger than the expected buffer size to be written directly onto the kernel stack frame, bypassing normal memory boundaries.
The attack requires local access with high privileges (such as root), but successful exploitation could enable an attacker to corrupt kernel memory, potentially escalating privileges further or executing arbitrary code in kernel context.
Root Cause
The root cause is a classic buffer overflow due to improper string handling. The add_slot_store and remove_slot_store functions in rpadlpar_sysfs.c do not correctly validate the length of the incoming device name or ensure proper null (\0) termination before copying the data into a fixed-size buffer. This allows userspace input to overflow the allocated stack buffer and overwrite adjacent memory on the kernel stack.
Attack Vector
The attack vector is local, requiring an attacker to have high-privilege access to the system. The exploitation occurs through the sysfs interface:
- An attacker with root or equivalent privileges accesses the sysfs entry for the RPA PCI Hotplug driver
- The attacker writes a specially crafted device name that exceeds the expected buffer length
- Due to missing null termination checks, the oversized input overwrites kernel stack memory
- The corrupted stack data can be leveraged for privilege escalation or arbitrary code execution
The vulnerability affects systems running the vulnerable kernel versions with the RPA PCI Hotplug driver enabled, which is primarily IBM POWER-based systems.
Detection Methods for CVE-2021-28972
Indicators of Compromise
- Unexpected or suspicious writes to /sys/bus/pci/slots/ sysfs entries
- Kernel crash logs (oops/panic) with stack traces referencing add_slot_store or remove_slot_store functions
- Unusual privileged process activity interacting with PCI hotplug subsystem
- Memory corruption indicators in kernel logs related to rpadlpar_sysfs.c
Detection Strategies
- Monitor sysfs write operations to PCI hotplug interfaces using audit rules
- Deploy kernel-level monitoring to detect anomalous stack behavior in hotplug drivers
- Implement file integrity monitoring on critical sysfs paths
- Use SentinelOne's kernel-level protection to detect exploitation attempts targeting driver interfaces
Monitoring Recommendations
- Enable kernel auditing for privileged operations on /sys/bus/pci/ paths
- Configure log aggregation to capture and alert on kernel oops messages referencing PCI hotplug functions
- Monitor for unauthorized privilege escalation attempts following suspicious driver interactions
- Review system logs for unusual device name patterns being passed to PCI hotplug interfaces
How to Mitigate CVE-2021-28972
Immediate Actions Required
- Update the Linux kernel to a patched version that addresses this vulnerability
- Restrict access to sysfs PCI hotplug interfaces to only essential administrative accounts
- Review and audit systems for any signs of exploitation attempts
- Consider disabling the RPA PCI Hotplug driver if not required for system operation
Patch Information
The vulnerability has been addressed in the upstream Linux kernel. The fix is available in the Linux Kernel Commit Update (commit cc7a0bb058b85ea03db87169c60c7cfdd5d34678).
Distribution-specific patches are available:
- Fedora Package Announcement for Fedora users
- NetApp Security Advisory for NetApp product users
Workarounds
- Restrict write access to /sys/bus/pci/slots/ to only trusted administrators
- Use mandatory access control (SELinux/AppArmor) to limit processes that can interact with PCI hotplug sysfs entries
- Disable the rpadlpar module if RPA PCI Hotplug functionality is not required on the system
- Implement network segmentation to limit local access to affected systems
# Disable RPA PCI Hotplug driver module if not needed
echo "blacklist rpaphp" >> /etc/modprobe.d/blacklist.conf
echo "blacklist rpadlpar_io" >> /etc/modprobe.d/blacklist.conf
# Restrict sysfs access using chmod (temporary mitigation)
chmod 600 /sys/bus/pci/slots/*/
# Update kernel to patched version (example for Fedora)
dnf update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
