CVE-2021-28972 Overview
CVE-2021-28972 is a buffer overflow vulnerability in the Linux kernel's RPA PCI Hotplug driver, located in drivers/pci/hotplug/rpadlpar_sysfs.c. The flaw affects the Linux kernel through version 5.11.8. The add_slot_store and remove_slot_store functions mishandle drc_name null termination when userspace writes a device name to the driver through sysfs. This allows a privileged local user to write attacker-controlled data directly to the kernel stack frame. Successful exploitation can lead to kernel memory corruption, privilege escalation, or denial of service. The vulnerability is tracked in the upstream kernel commit cc7a0bb058b8 and is classified under [CWE-120] Classic Buffer Overflow.
Critical Impact
Local attackers with elevated privileges can corrupt the kernel stack through the RPA PCI Hotplug sysfs interface, potentially achieving full kernel compromise on affected PowerPC Linux systems.
Affected Products
- Linux Kernel through 5.11.8
- Fedora 32, 33, and 34
- NetApp Cloud Backup, FAS/AFF Baseboard Management Controller, and SolidFire Baseboard Management Controller Firmware
Discovery Timeline
- 2021-03-22 - CVE-2021-28972 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-28972
Vulnerability Analysis
The vulnerability resides in the RPA Dynamic Logical Partitioning (DLPAR) sysfs interface used on IBM PowerPC systems with the Linux kernel. The add_slot_store and remove_slot_store handlers receive a device resource connector (drc_name) string from userspace through sysfs writes. The handlers fail to ensure the string is properly null-terminated before copying it into a fixed-size buffer on the kernel stack. When userspace supplies a string at or near the maximum buffer size without a trailing '\0', subsequent string operations read or write beyond the buffer boundary. This results in a kernel stack frame buffer overflow controlled directly by userspace input.
Root Cause
The root cause is improper handling of string termination in the sysfs store callbacks. The code copies the user-supplied drc_name into a stack buffer without enforcing a terminating null byte at the buffer boundary. Functions that subsequently process the buffer treat it as a C string, walking past the allocated region and corrupting adjacent stack data, including saved registers and return addresses.
Attack Vector
An attacker requires local access and high privileges, typically root or CAP_SYS_ADMIN, to write to the affected sysfs files. The attacker writes a crafted drc_name payload to /sys/bus/pci/slots/.../add_slot or remove_slot. Because the overflow lands on the kernel stack with userspace-controlled bytes, the flaw can be leveraged to corrupt kernel control flow on PowerPC systems where the RPA Hotplug driver is loaded. The vulnerability is described in the upstream Linux Kernel Commit Log.
Detection Methods for CVE-2021-28972
Indicators of Compromise
- Unexpected kernel oops or panic messages in dmesg referencing rpadlpar_sysfs, add_slot_store, or remove_slot_store.
- Writes to /sys/bus/pci/slots/*/add_slot or /sys/bus/pci/slots/*/remove_slot containing unusually long or non-terminated strings.
- Unexplained kernel stack traces on PowerPC systems running the RPA PCI Hotplug driver.
Detection Strategies
- Audit kernel versions across the Linux fleet and flag hosts running kernels at or below 5.11.8 without the cc7a0bb058b8 backport.
- Monitor process execution that writes to rpadlpar sysfs nodes from non-administrative scripts or interactive shells.
- Correlate kernel crash telemetry with file write events targeting /sys/bus/pci/slots/.
Monitoring Recommendations
- Enable Linux audit rules on /sys/bus/pci/slots/*/add_slot and remove_slot write operations.
- Forward kernel ring buffer logs to a centralized SIEM and alert on rpadlpar_sysfs references.
- Track loaded kernel modules and inventory PowerPC hosts where the rpadlpar_io module is present.
How to Mitigate CVE-2021-28972
Immediate Actions Required
- Update the Linux kernel to a version that includes upstream commit cc7a0bb058b8 or a vendor backport that fixes drc_name null termination.
- Apply Fedora updates referenced in the Fedora Package Announcement for Fedora 32, 33, and 34.
- Apply NetApp firmware and product updates per the NetApp Security Advisory.
- Restrict root and CAP_SYS_ADMIN privileges to trusted administrators only.
Patch Information
The upstream fix corrects null termination handling in add_slot_store and remove_slot_store within drivers/pci/hotplug/rpadlpar_sysfs.c. The patch is available in the Linux Kernel Commit Log under commit hash cc7a0bb058b85ea03db87169c60c7cfdd5d34678. Distribution vendors including Fedora and NetApp have released updated packages that incorporate this fix.
Workarounds
- Unload the rpadlpar_io kernel module on systems that do not require PCI hot-plug DLPAR functionality.
- Blacklist the rpadlpar_io module via /etc/modprobe.d/ on non-PowerPC virtualization hosts.
- Restrict write permissions on /sys/bus/pci/slots/*/add_slot and remove_slot through stricter sudo and access policies.
# Configuration example
# Verify if the vulnerable module is loaded
lsmod | grep rpadlpar_io
# Blacklist the module if PCI hot-plug DLPAR is not required
echo "blacklist rpadlpar_io" | sudo tee /etc/modprobe.d/disable-rpadlpar.conf
# Confirm kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
