CVE-2021-47435
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
22/05/2024
Last modified:
31/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
dm: fix mempool NULL pointer race when completing IO<br />
<br />
dm_io_dec_pending() calls end_io_acct() first and will then dec md<br />
in-flight pending count. But if a task is swapping DM table at same<br />
time this can result in a crash due to mempool->elements being NULL:<br />
<br />
task1 task2<br />
do_resume<br />
->do_suspend<br />
->dm_wait_for_completion<br />
bio_endio<br />
->clone_endio<br />
->dm_io_dec_pending<br />
->end_io_acct<br />
->wakeup task1<br />
->dm_swap_table<br />
->__bind<br />
->__bind_mempools<br />
->bioset_exit<br />
->mempool_exit<br />
->free_io<br />
<br />
[ 67.330330] Unable to handle kernel NULL pointer dereference at<br />
virtual address 0000000000000000<br />
......<br />
[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)<br />
[ 67.330510] pc : mempool_free+0x70/0xa0<br />
[ 67.330515] lr : mempool_free+0x4c/0xa0<br />
[ 67.330520] sp : ffffff8008013b20<br />
[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004<br />
[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8<br />
[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800<br />
[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800<br />
[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80<br />
[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c<br />
[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd<br />
[ 67.330563] x15: 000000000093b41e x14: 0000000000000010<br />
[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555<br />
[ 67.330574] x11: 0000000000000001 x10: 0000000000000001<br />
[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000<br />
[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a<br />
[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001<br />
[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8<br />
[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970<br />
[ 67.330609] Call trace:<br />
[ 67.330616] mempool_free+0x70/0xa0<br />
[ 67.330627] bio_put+0xf8/0x110<br />
[ 67.330638] dec_pending+0x13c/0x230<br />
[ 67.330644] clone_endio+0x90/0x180<br />
[ 67.330649] bio_endio+0x198/0x1b8<br />
[ 67.330655] dec_pending+0x190/0x230<br />
[ 67.330660] clone_endio+0x90/0x180<br />
[ 67.330665] bio_endio+0x198/0x1b8<br />
[ 67.330673] blk_update_request+0x214/0x428<br />
[ 67.330683] scsi_end_request+0x2c/0x300<br />
[ 67.330688] scsi_io_completion+0xa0/0x710<br />
[ 67.330695] scsi_finish_command+0xd8/0x110<br />
[ 67.330700] scsi_softirq_done+0x114/0x148<br />
[ 67.330708] blk_done_softirq+0x74/0xd0<br />
[ 67.330716] __do_softirq+0x18c/0x374<br />
[ 67.330724] irq_exit+0xb4/0xb8<br />
[ 67.330732] __handle_domain_irq+0x84/0xc0<br />
[ 67.330737] gic_handle_irq+0x148/0x1b0<br />
[ 67.330744] el1_irq+0xe8/0x190<br />
[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538<br />
[ 67.330759] cpuidle_enter_state+0x1fc/0x398<br />
[ 67.330764] cpuidle_enter+0x18/0x20<br />
[ 67.330772] do_idle+0x1b4/0x290<br />
[ 67.330778] cpu_startup_entry+0x20/0x28<br />
[ 67.330786] secondary_start_kernel+0x160/0x170<br />
<br />
Fix this by:<br />
1) Establishing pointers to &#39;struct dm_io&#39; members in<br />
dm_io_dec_pending() so that they may be passed into end_io_acct()<br />
_after_ free_io() is called.<br />
2) Moving end_io_acct() after free_io().
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.9.313 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.278 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.242 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.193 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.113 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.14.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/6e506f07c5b561d673dd0b0d8f7f420cc48024fb
- https://git.kernel.org/stable/c/9e07272cca2ed76f7f6073f4444b1143828c8d87
- https://git.kernel.org/stable/c/9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed
- https://git.kernel.org/stable/c/ad1393b92e5059218d055bfec8f4946d85ad04c4
- https://git.kernel.org/stable/c/d208b89401e073de986dc891037c5a668f5d5d95
- https://git.kernel.org/stable/c/d29c78d3f9c5d2604548c1065bf1ec212728ea61
- https://git.kernel.org/stable/c/d35aef9c60d310eff3eaddacce301efe877e2b7c
- https://git.kernel.org/stable/c/6e506f07c5b561d673dd0b0d8f7f420cc48024fb
- https://git.kernel.org/stable/c/9e07272cca2ed76f7f6073f4444b1143828c8d87
- https://git.kernel.org/stable/c/9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed
- https://git.kernel.org/stable/c/ad1393b92e5059218d055bfec8f4946d85ad04c4
- https://git.kernel.org/stable/c/d208b89401e073de986dc891037c5a668f5d5d95
- https://git.kernel.org/stable/c/d29c78d3f9c5d2604548c1065bf1ec212728ea61
- https://git.kernel.org/stable/c/d35aef9c60d310eff3eaddacce301efe877e2b7c