cve-2021-47436
Vulnerability from cvelistv5
Published
2024-05-22 06:19
Modified
2024-12-19 07:41
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: musb: dsps: Fix the probe error path Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after initializing musb") has inverted the calls to dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without updating correctly the error path. dsps_create_musb_pdev() allocates and registers a new platform device which must be unregistered and freed with platform_device_unregister(), and this is missing upon dsps_setup_optional_vbus_irq() error. While on the master branch it seems not to trigger any issue, I observed a kernel crash because of a NULL pointer dereference with a v5.10.70 stable kernel where the patch mentioned above was backported. With this kernel version, -EPROBE_DEFER is returned the first time dsps_setup_optional_vbus_irq() is called which triggers the probe to error out without unregistering the platform device. Unfortunately, on the Beagle Bone Black Wireless, the platform device still living in the system is being used by the USB Ethernet gadget driver, which during the boot phase triggers the crash. My limited knowledge of the musb world prevents me to revert this commit which was sent to silence a robot warning which, as far as I understand, does not make sense. The goal of this patch was to prevent an IRQ to fire before the platform device being registered. I think this cannot ever happen due to the fact that enabling the interrupts is done by the ->enable() callback of the platform musb device, and this platform device must be already registered in order for the core or any other user to use this callback. Hence, I decided to fix the error path, which might prevent future errors on mainline kernels while also fixing older ones.
Impacted products
Vendor Product Version
Linux Linux Version: 4.14.247   
Version: 4.19.207   
Version: 5.4.148   
Version: 5.10.67   
Version: 5.14.6   
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47436",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T18:03:36.424310Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T18:04:23.811Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:58.936Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5ed60a430fb5f3d93e7fef66264daef466b4d10c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e923bce31ffefe4f60edfc6b84f62d4a858f3676"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9ab5d539bc975b8dcde86eca1b58d836b657732e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9d89e287116796bf987cc48f5c8632ef3048f8eb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ff9249aab39820be11b6975a10d94253b7d426fc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c2115b2b16421d93d4993f3fe4c520e91d6fe801"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/musb/musb_dsps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5ed60a430fb5f3d93e7fef66264daef466b4d10c",
              "status": "affected",
              "version": "5269937d1483d3159d5b51907346e4f4b13ef079",
              "versionType": "git"
            },
            {
              "lessThan": "e923bce31ffefe4f60edfc6b84f62d4a858f3676",
              "status": "affected",
              "version": "ffc825049ed2e8c849d318e987fd5073e0be462f",
              "versionType": "git"
            },
            {
              "lessThan": "9ab5d539bc975b8dcde86eca1b58d836b657732e",
              "status": "affected",
              "version": "9a4a6805294fa7d2653e82972bdaf9e3e1f3d3c9",
              "versionType": "git"
            },
            {
              "lessThan": "9d89e287116796bf987cc48f5c8632ef3048f8eb",
              "status": "affected",
              "version": "8de01a896c1bc14b6b65b8d26013626597a45eda",
              "versionType": "git"
            },
            {
              "lessThan": "ff9249aab39820be11b6975a10d94253b7d426fc",
              "status": "affected",
              "version": "72bb3eafcfdd156713a3ea0c9c95d536bd6e6e55",
              "versionType": "git"
            },
            {
              "lessThan": "c2115b2b16421d93d4993f3fe4c520e91d6fe801",
              "status": "affected",
              "version": "7c75bde329d7e2a93cf86a5c15c61f96f1446cdc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/musb/musb_dsps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4.14.252",
              "status": "affected",
              "version": "4.14.247",
              "versionType": "semver"
            },
            {
              "lessThan": "4.19.213",
              "status": "affected",
              "version": "4.19.207",
              "versionType": "semver"
            },
            {
              "lessThan": "5.4.155",
              "status": "affected",
              "version": "5.4.148",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.75",
              "status": "affected",
              "version": "5.10.67",
              "versionType": "semver"
            },
            {
              "lessThan": "5.14.14",
              "status": "affected",
              "version": "5.14.6",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: dsps: Fix the probe error path\n\nCommit 7c75bde329d7 (\"usb: musb: musb_dsps: request_irq() after\ninitializing musb\") has inverted the calls to\ndsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without\nupdating correctly the error path. dsps_create_musb_pdev() allocates and\nregisters a new platform device which must be unregistered and freed\nwith platform_device_unregister(), and this is missing upon\ndsps_setup_optional_vbus_irq() error.\n\nWhile on the master branch it seems not to trigger any issue, I observed\na kernel crash because of a NULL pointer dereference with a v5.10.70\nstable kernel where the patch mentioned above was backported. With this\nkernel version, -EPROBE_DEFER is returned the first time\ndsps_setup_optional_vbus_irq() is called which triggers the probe to\nerror out without unregistering the platform device. Unfortunately, on\nthe Beagle Bone Black Wireless, the platform device still living in the\nsystem is being used by the USB Ethernet gadget driver, which during the\nboot phase triggers the crash.\n\nMy limited knowledge of the musb world prevents me to revert this commit\nwhich was sent to silence a robot warning which, as far as I understand,\ndoes not make sense. The goal of this patch was to prevent an IRQ to\nfire before the platform device being registered. I think this cannot\never happen due to the fact that enabling the interrupts is done by the\n-\u003eenable() callback of the platform musb device, and this platform\ndevice must be already registered in order for the core or any other\nuser to use this callback.\n\nHence, I decided to fix the error path, which might prevent future\nerrors on mainline kernels while also fixing older ones."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:41:57.063Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5ed60a430fb5f3d93e7fef66264daef466b4d10c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e923bce31ffefe4f60edfc6b84f62d4a858f3676"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ab5d539bc975b8dcde86eca1b58d836b657732e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d89e287116796bf987cc48f5c8632ef3048f8eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff9249aab39820be11b6975a10d94253b7d426fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2115b2b16421d93d4993f3fe4c520e91d6fe801"
        }
      ],
      "title": "usb: musb: dsps: Fix the probe error path",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47436",
    "datePublished": "2024-05-22T06:19:32.220Z",
    "dateReserved": "2024-05-21T14:58:30.830Z",
    "dateUpdated": "2024-12-19T07:41:57.063Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47436\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-22T07:15:08.883\",\"lastModified\":\"2024-11-21T06:36:08.397\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusb: musb: dsps: Fix the probe error path\\n\\nCommit 7c75bde329d7 (\\\"usb: musb: musb_dsps: request_irq() after\\ninitializing musb\\\") has inverted the calls to\\ndsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without\\nupdating correctly the error path. dsps_create_musb_pdev() allocates and\\nregisters a new platform device which must be unregistered and freed\\nwith platform_device_unregister(), and this is missing upon\\ndsps_setup_optional_vbus_irq() error.\\n\\nWhile on the master branch it seems not to trigger any issue, I observed\\na kernel crash because of a NULL pointer dereference with a v5.10.70\\nstable kernel where the patch mentioned above was backported. With this\\nkernel version, -EPROBE_DEFER is returned the first time\\ndsps_setup_optional_vbus_irq() is called which triggers the probe to\\nerror out without unregistering the platform device. Unfortunately, on\\nthe Beagle Bone Black Wireless, the platform device still living in the\\nsystem is being used by the USB Ethernet gadget driver, which during the\\nboot phase triggers the crash.\\n\\nMy limited knowledge of the musb world prevents me to revert this commit\\nwhich was sent to silence a robot warning which, as far as I understand,\\ndoes not make sense. The goal of this patch was to prevent an IRQ to\\nfire before the platform device being registered. I think this cannot\\never happen due to the fact that enabling the interrupts is done by the\\n-\u003eenable() callback of the platform musb device, and this platform\\ndevice must be already registered in order for the core or any other\\nuser to use this callback.\\n\\nHence, I decided to fix the error path, which might prevent future\\nerrors on mainline kernels while also fixing older ones.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: musb: dsps: corrige la ruta del error de la sonda. El commit 7c75bde329d7 (\\\"usb: musb: musb_dsps: request_irq() despu\u00e9s de inicializar musb\\\") ha invertido las llamadas a dsps_setup_optional_vbus_irq() y dsps_create_musb_pdev() sin actualizar correctamente la ruta del error. dsps_create_musb_pdev() asigna y registra un nuevo dispositivo de plataforma que debe cancelarse y liberarse con platform_device_unregister(), y esto falta en el error dsps_setup_optional_vbus_irq(). Mientras que en la rama maestra parece no desencadenar ning\u00fan problema, observ\u00e9 un bloqueo del kernel debido a una desreferencia del puntero NULL con un kernel estable v5.10.70 donde el parche mencionado anteriormente estaba respaldado. Con esta versi\u00f3n del kernel, se devuelve -EPROBE_DEFER la primera vez que se llama a dsps_setup_optional_vbus_irq(), lo que provoca que la sonda genere un error sin cancelar el registro del dispositivo de plataforma. Desafortunadamente, en el Beagle Bone Black Wireless, el dispositivo de plataforma que a\u00fan se encuentra en el sistema est\u00e1 siendo utilizado por el controlador del dispositivo USB Ethernet, lo que durante la fase de arranque provoca el bloqueo. Mi conocimiento limitado del mundo musb me impide revertir este compromiso que fue enviado para silenciar una advertencia de robot que, hasta donde tengo entendido, no tiene sentido. El objetivo de este parche era evitar que se activara una IRQ antes de que se registrara el dispositivo de la plataforma. Creo que esto nunca puede suceder debido al hecho de que habilitar las interrupciones se realiza mediante la devoluci\u00f3n de llamada -\u0026gt;enable() del dispositivo musb de la plataforma, y este dispositivo de plataforma ya debe estar registrado para que el n\u00facleo o cualquier otro usuario pueda usar esto. llamar de vuelta. Por lo tanto, decid\u00ed corregir la ruta del error, lo que podr\u00eda evitar futuros errores en los n\u00facleos principales y al mismo tiempo corregir los m\u00e1s antiguos.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5ed60a430fb5f3d93e7fef66264daef466b4d10c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9ab5d539bc975b8dcde86eca1b58d836b657732e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9d89e287116796bf987cc48f5c8632ef3048f8eb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c2115b2b16421d93d4993f3fe4c520e91d6fe801\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e923bce31ffefe4f60edfc6b84f62d4a858f3676\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ff9249aab39820be11b6975a10d94253b7d426fc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5ed60a430fb5f3d93e7fef66264daef466b4d10c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/9ab5d539bc975b8dcde86eca1b58d836b657732e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/9d89e287116796bf987cc48f5c8632ef3048f8eb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/c2115b2b16421d93d4993f3fe4c520e91d6fe801\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/e923bce31ffefe4f60edfc6b84f62d4a858f3676\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/ff9249aab39820be11b6975a10d94253b7d426fc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.