Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47497

Severity CVSS v4.0:
Pending analysis
Type:
CWE-787 Out-of-bounds Write
Publication date:
22/05/2024
Last modified:
24/09/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells<br /> <br /> If a cell has &amp;#39;nbits&amp;#39; equal to a multiple of BITS_PER_BYTE the logic<br /> <br /> *p &amp;= GENMASK((cell-&gt;nbits%BITS_PER_BYTE) - 1, 0);<br /> <br /> will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we<br /> subtract one from that making a large number that is then shifted more than the<br /> number of bits that fit into an unsigned long.<br /> <br /> UBSAN reports this problem:<br /> <br /> UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8<br /> shift exponent 64 is too large for 64-bit type &amp;#39;unsigned long&amp;#39;<br /> CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9<br /> Hardware name: Google Lazor (rev3+) with KB Backlight (DT)<br /> Workqueue: events_unbound deferred_probe_work_func<br /> Call trace:<br /> dump_backtrace+0x0/0x170<br /> show_stack+0x24/0x30<br /> dump_stack_lvl+0x64/0x7c<br /> dump_stack+0x18/0x38<br /> ubsan_epilogue+0x10/0x54<br /> __ubsan_handle_shift_out_of_bounds+0x180/0x194<br /> __nvmem_cell_read+0x1ec/0x21c<br /> nvmem_cell_read+0x58/0x94<br /> nvmem_cell_read_variable_common+0x4c/0xb0<br /> nvmem_cell_read_variable_le_u32+0x40/0x100<br /> a6xx_gpu_init+0x170/0x2f4<br /> adreno_bind+0x174/0x284<br /> component_bind_all+0xf0/0x264<br /> msm_drm_bind+0x1d8/0x7a0<br /> try_to_bring_up_master+0x164/0x1ac<br /> __component_add+0xbc/0x13c<br /> component_add+0x20/0x2c<br /> dp_display_probe+0x340/0x384<br /> platform_probe+0xc0/0x100<br /> really_probe+0x110/0x304<br /> __driver_probe_device+0xb8/0x120<br /> driver_probe_device+0x4c/0xfc<br /> __device_attach_driver+0xb0/0x128<br /> bus_for_each_drv+0x90/0xdc<br /> __device_attach+0xc8/0x174<br /> device_initial_probe+0x20/0x2c<br /> bus_probe_device+0x40/0xa4<br /> deferred_probe_work_func+0x7c/0xb8<br /> process_one_work+0x128/0x21c<br /> process_scheduled_works+0x40/0x54<br /> worker_thread+0x1ec/0x2a8<br /> kthread+0x138/0x158<br /> ret_from_fork+0x10/0x20<br /> <br /> Fix it by making sure there are any bits to mask out.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.3 (including) 4.4.290 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.5 (including) 4.9.288 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 4.14.252 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.213 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.155 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.75 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.14.14 (excluding)
cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15:rc5:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools