CVE-2021-47169
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
25/03/2024
Last modified:
03/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
serial: rp2: use &#39;request_firmware&#39; instead of &#39;request_firmware_nowait&#39;<br />
<br />
In &#39;rp2_probe&#39;, the driver registers &#39;rp2_uart_interrupt&#39; then calls<br />
&#39;rp2_fw_cb&#39; through &#39;request_firmware_nowait&#39;. In &#39;rp2_fw_cb&#39;, if the<br />
firmware don&#39;t exists, function just return without initializing ports<br />
of &#39;rp2_card&#39;. But now the interrupt handler function has been<br />
registered, and when an interrupt comes, &#39;rp2_uart_interrupt&#39; may access<br />
those ports then causing NULL pointer dereference or other bugs.<br />
<br />
Because the driver does some initialization work in &#39;rp2_fw_cb&#39;, in<br />
order to make the driver ready to handle interrupts, &#39;request_firmware&#39;<br />
should be used instead of asynchronous &#39;request_firmware_nowait&#39;.<br />
<br />
This report reveals it:<br />
<br />
INFO: trying to register non-static key.<br />
the code is fine but needs lockdep annotation.<br />
turning off the locking correctness validator.<br />
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-<br />
gc9ba5276e321-prebuilt.qemu.org 04/01/2014<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:77 [inline]<br />
dump_stack+0xec/0x156 lib/dump_stack.c:118<br />
assign_lock_key kernel/locking/lockdep.c:727 [inline]<br />
register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753<br />
__lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303<br />
lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907<br />
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]<br />
_raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144<br />
spin_lock include/linux/spinlock.h:329 [inline]<br />
rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline]<br />
rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493<br />
rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504<br />
__handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149<br />
handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189<br />
handle_irq_event+0xac/0x140 kernel/irq/handle.c:206<br />
handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725<br />
generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]<br />
handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87<br />
do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247<br />
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670<br />
<br />
RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61<br />
Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8<br />
8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 c3 90 90 90<br />
90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41<br />
RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde<br />
RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285<br />
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200<br />
RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840<br />
R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002<br />
R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000<br />
arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]<br />
default_idle+0x6f/0x360 arch/x86/kernel/process.c:557<br />
arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548<br />
default_idle_call+0x3b/0x60 kernel/sched/idle.c:93<br />
cpuidle_idle_call kernel/sched/idle.c:153 [inline]<br />
do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263<br />
cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369<br />
start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271<br />
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243<br />
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010<br />
PGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0<br />
Oops: 0000 [#1] PREEMPT SMP KASAN PTI<br />
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-<br />
gc9ba5276e321-prebuilt.qemu.org 04/01/2014<br />
RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline]<br />
RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline]<br />
RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c:<br />
493<br />
Co<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.4.271 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.5 (including) | 4.9.271 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.235 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.193 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.124 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.42 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.12.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/016002848c82eeb5d460489ce392d91fe18c475c
- https://git.kernel.org/stable/c/1cc57cb32c84e059bd158494f746b665fc14d1b1
- https://git.kernel.org/stable/c/1e04d5d5fe5e76af68f834e1941fcbfa439653be
- https://git.kernel.org/stable/c/35265552c7fe9553c75e324c80f45e28ff14eb6e
- https://git.kernel.org/stable/c/6a931ceb0b9401fe18d0c500e08164bf9cc7be4b
- https://git.kernel.org/stable/c/915452f40e2f495e187276c4407a4f567ec2307e
- https://git.kernel.org/stable/c/9b07b6973f7359e2dd6a9fe6db0c142634c823b7
- https://git.kernel.org/stable/c/c697244ce940ec07e2d745ccb63ca97fc0266fbc
- https://git.kernel.org/stable/c/016002848c82eeb5d460489ce392d91fe18c475c
- https://git.kernel.org/stable/c/1cc57cb32c84e059bd158494f746b665fc14d1b1
- https://git.kernel.org/stable/c/1e04d5d5fe5e76af68f834e1941fcbfa439653be
- https://git.kernel.org/stable/c/35265552c7fe9553c75e324c80f45e28ff14eb6e
- https://git.kernel.org/stable/c/6a931ceb0b9401fe18d0c500e08164bf9cc7be4b
- https://git.kernel.org/stable/c/915452f40e2f495e187276c4407a4f567ec2307e
- https://git.kernel.org/stable/c/9b07b6973f7359e2dd6a9fe6db0c142634c823b7
- https://git.kernel.org/stable/c/c697244ce940ec07e2d745ccb63ca97fc0266fbc