CVE-2021-47369

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/05/2024
Last modified:
02/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/qeth: fix NULL deref in qeth_clear_working_pool_list()<br /> <br /> When qeth_set_online() calls qeth_clear_working_pool_list() to roll<br /> back after an error exit from qeth_hardsetup_card(), we are at risk of<br /> accessing card-&gt;qdio.in_q before it was allocated by<br /> qeth_alloc_qdio_queues() via qeth_mpc_initialize().<br /> <br /> qeth_clear_working_pool_list() then dereferences NULL, and by writing to<br /> queue-&gt;bufs[i].pool_entry scribbles all over the CPU&amp;#39;s lowcore.<br /> Resulting in a crash when those lowcore areas are used next (eg. on<br /> the next machine-check interrupt).<br /> <br /> Such a scenario would typically happen when the device is first set<br /> online and its queues aren&amp;#39;t allocated yet. An early IO error or certain<br /> misconfigs (eg. mismatched transport mode, bad portno) then cause us to<br /> error out from qeth_hardsetup_card() with card-&gt;qdio.in_q still being<br /> NULL.<br /> <br /> Fix it by checking the pointer for NULL before accessing it.<br /> <br /> Note that we also have (rare) paths inside qeth_mpc_initialize() where<br /> a configuration change can cause us to free the existing queues,<br /> expecting that subsequent code will allocate them again. If we then<br /> error out before that re-allocation happens, the same bug occurs.<br /> <br /> Root-caused-by: Heiko Carstens

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.7.16 (including) 5.8 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.8.2 (including) 5.10.70 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.14.9 (excluding)
cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*