CVE-2021-3764 Overview
A memory leak vulnerability was discovered in the Linux kernel's ccp_run_aes_gcm_cmd() function within the CCP (Cryptographic Coprocessor) driver. This flaw allows a local attacker with low privileges to cause a denial of service condition by exhausting system memory resources. The vulnerability is similar to the previously identified CVE-2019-18808, indicating a recurring pattern in resource management within this cryptographic subsystem.
Critical Impact
This memory leak vulnerability can be exploited to cause system instability and denial of service by exhausting kernel memory resources, potentially affecting system availability on servers and workstations utilizing AMD CCP hardware.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 5.15 and release candidates (5.15-rc1, 5.15-rc2, 5.15-rc3)
- Systems utilizing AMD Cryptographic Coprocessor (CCP) driver
Discovery Timeline
- 2022-08-23 - CVE-2021-3764 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3764
Vulnerability Analysis
The vulnerability resides in the ccp_run_aes_gcm_cmd() function located in drivers/crypto/ccp/ccp-ops.c. This function handles AES-GCM (Galois/Counter Mode) cryptographic operations for the AMD CCP hardware accelerator. The flaw occurs due to improper error handling during DMA (Direct Memory Access) operations, where allocated resources are not properly released when certain error conditions are encountered.
When the DMA mapping operation fails, the code incorrectly jumps to an error handler (e_ctx) that doesn't properly clean up the previously allocated AAD (Additional Authenticated Data) resources. This results in memory being allocated but never freed, causing a gradual memory leak that can be exploited through repeated cryptographic operations.
Root Cause
The root cause is a resource leak vulnerability (CWE-401) combined with improper resource control (CWE-400). Specifically, when an error occurs during the DMA setup for cryptographic operations, the error handling path fails to properly deallocate the AAD buffer that was allocated earlier in the function. The incorrect goto label (e_ctx instead of e_aad) skips the necessary cleanup code, leaving allocated memory orphaned in kernel space.
Attack Vector
This vulnerability requires local access to the system with low-level privileges. An attacker can exploit this flaw by repeatedly invoking the vulnerable cryptographic operation through the kernel's crypto subsystem interface. Each failed or crafted operation leaves behind unreleased memory, eventually leading to memory exhaustion and system denial of service. The attack does not require user interaction and can be automated for persistent impact.
in_place ? DMA_BIDIRECTIONAL
: DMA_TO_DEVICE);
if (ret)
- goto e_ctx;
+ goto e_aad;
if (in_place) {
dst = src;
Source: GitHub Linux Commit
Detection Methods for CVE-2021-3764
Indicators of Compromise
- Gradual increase in kernel memory usage over time without corresponding user-space activity
- System log entries indicating memory allocation failures in the CCP driver
- Unexplained system slowdowns or out-of-memory (OOM) killer activations
- Increased activity in /proc/slabinfo related to cryptographic operations
Detection Strategies
- Monitor kernel memory allocation patterns using tools like slabtop or /proc/meminfo
- Implement alerts for unusual memory consumption in systems with AMD CCP hardware
- Review system logs for CCP driver errors or memory allocation failures
- Use kernel tracing tools (ftrace, perf) to monitor ccp_run_aes_gcm_cmd() function calls and error returns
Monitoring Recommendations
- Configure memory usage thresholds and alerts on systems using AMD CCP hardware
- Implement regular system health checks that include kernel memory statistics
- Enable kernel memory debugging options (KMEMLEAK) in development or staging environments to detect leaks
- Monitor for abnormal patterns in cryptographic operation requests
How to Mitigate CVE-2021-3764
Immediate Actions Required
- Update the Linux kernel to a patched version that includes commit 505d9dcb0f7ddf9d075e729523a33d38642ae680
- Review systems using AMD CCP hardware accelerators for signs of memory exhaustion
- Consider temporarily disabling the CCP driver if patching is not immediately possible
- Implement memory monitoring and alerting as an interim protective measure
Patch Information
The vulnerability has been addressed in the upstream Linux kernel through commit 505d9dcb0f7ddf9d075e729523a33d38642ae680. This fix corrects the error handling path in ccp_run_aes_gcm_cmd() by changing the goto label from e_ctx to e_aad, ensuring proper cleanup of allocated resources when DMA mapping fails. Users should update to a kernel version that includes this commit or apply the patch from the GitHub Linux Commit Reference.
Additional distribution-specific advisories are available from Red Hat and the Debian Security Tracker.
Workarounds
- Blacklist or unload the ccp kernel module if AMD CCP hardware acceleration is not required
- Restrict access to cryptographic interfaces for untrusted local users
- Implement resource limits (cgroups) to contain the impact of memory exhaustion attacks
- Schedule regular system reboots as a temporary measure to reclaim leaked memory
# Temporarily disable CCP driver module
sudo modprobe -r ccp
# Blacklist the CCP module to prevent automatic loading
echo "blacklist ccp" | sudo tee /etc/modprobe.d/blacklist-ccp.conf
# Verify module is not loaded
lsmod | grep ccp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
