CVE-2021-47549

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47549
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47549.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47549
Related
Published
2024-05-24T15:15:19Z
Modified
2024-09-11T04:41:13.931722Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

satafsl: fix UAF in satafslportstop when rmmod sata_fsl

When the rmmod sata_fsl.ko command is executed in the PPC64 GNU/Linux, a bug is reported: ================================================================== BUG: Unable to handle kernel data access on read at 0x80000800805b502c Oops: Kernel access of bad area, sig: 11 [#1] NIP [c0000000000388a4] .ioread32+0x4/0x20 LR [80000000000c6034] .satafslportstop+0x44/0xe0 [satafsl] Call Trace: .freeirq+0x1c/0x4e0 (unreliable) .atahoststop+0x74/0xd0 [libata] .releasenodes+0x330/0x3f0 .devicereleasedriverinternal+0x178/0x2c0 .driverdetach+0x64/0xd0 .busremovedriver+0x70/0xf0 .driverunregister+0x38/0x80 .platformdriverunregister+0x14/0x30 .fslsatadriverexit+0x18/0xa20 [satafsl] .sesysdeletemodule+0x1ec/0x2d0 .systemcallexception+0xfc/0x1f0 systemcallcommon+0xf8/0x200 ==================================================================

The triggering of the BUG is shown in the following stack:

driverdetach devicereleasedriverinternal _devicereleasedriver drv->remove(dev) --> platformdrvremove/platformremove drv->remove(dev) --> satafslremove iounmap(hostpriv->hcrbase); <---- unmap kfree(hostpriv); <---- free devresreleaseall releasenodes dr->node.release(dev, dr->data) --> atahoststop ap->ops->portstop(ap) --> satafslportstop ioread32(hcrbase + HCONTROL) <---- UAF host->ops->hoststop(host)

The iounmap(hostpriv->hcrbase) and kfree(hostpriv) functions should not be executed in drv->remove. These functions should be executed in hoststop after portstop. Therefore, we move these functions to the new function satafslhoststop and bind the new function to host_stop.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}