CVE-2021-47497

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47497
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47497.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-47497
Related
Published
2024-05-22T09:15:11Z
Modified
2024-09-11T04:41:12.540867Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells

If a cell has 'nbits' equal to a multiple of BITSPERBYTE the logic

*p &= GENMASK((cell->nbits%BITSPERBYTE) - 1, 0);

will become undefined behavior because nbits modulo BITSPERBYTE is 0, and we subtract one from that making a large number that is then shifted more than the number of bits that fit into an unsigned long.

UBSAN reports this problem:

UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8 shift exponent 64 is too large for 64-bit type 'unsigned long' CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9 Hardware name: Google Lazor (rev3+) with KB Backlight (DT) Workqueue: eventsunbound deferredprobeworkfunc Call trace: dumpbacktrace+0x0/0x170 showstack+0x24/0x30 dumpstacklvl+0x64/0x7c dumpstack+0x18/0x38 ubsanepilogue+0x10/0x54 _ubsanhandleshiftoutofbounds+0x180/0x194 _nvmemcellread+0x1ec/0x21c nvmemcellread+0x58/0x94 nvmemcellreadvariablecommon+0x4c/0xb0 nvmemcellreadvariableleu32+0x40/0x100 a6xxgpuinit+0x170/0x2f4 adrenobind+0x174/0x284 componentbindall+0xf0/0x264 msmdrmbind+0x1d8/0x7a0 trytobringupmaster+0x164/0x1ac _componentadd+0xbc/0x13c componentadd+0x20/0x2c dpdisplayprobe+0x340/0x384 platformprobe+0xc0/0x100 reallyprobe+0x110/0x304 _driverprobedevice+0xb8/0x120 driverprobedevice+0x4c/0xfc _deviceattachdriver+0xb0/0x128 busforeachdrv+0x90/0xdc _deviceattach+0xc8/0x174 deviceinitialprobe+0x20/0x2c busprobedevice+0x40/0xa4 deferredprobeworkfunc+0x7c/0xb8 processonework+0x128/0x21c processscheduledworks+0x40/0x54 workerthread+0x1ec/0x2a8 kthread+0x138/0x158 retfrom_fork+0x10/0x20

Fix it by making sure there are any bits to mask out.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}