cve-2021-47533
Vulnerability from cvelistv5
Published
2024-05-24 15:09
Modified
2024-12-19 07:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Clear the HVS FIFO commit pointer once done Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before a commit") introduced a wait on the previous commit done on a given HVS FIFO. However, we never cleared that pointer once done. Since drm_crtc_commit_put can free the drm_crtc_commit structure directly if we were the last user, this means that it can lead to a use-after free if we were to duplicate the state, and that stale pointer would even be copied to the new state. Set the pointer to NULL once we're done with the wait so that we don't carry over a pointer to a free'd structure.
Impacted products
Vendor Product Version
Linux Linux Version: 5.12
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47533",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-24T19:17:49.041066Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:15:00.137Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.620Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2931db9a5ed219546cf2ae0546698faf78281b89"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d134c5ff71c7f2320fc7997f2fbbdedf0c76889a"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vc4/vc4_kms.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2931db9a5ed219546cf2ae0546698faf78281b89",
              "status": "affected",
              "version": "9ec03d7f1ed394897891319a4dda75f52c5d292d",
              "versionType": "git"
            },
            {
              "lessThan": "d134c5ff71c7f2320fc7997f2fbbdedf0c76889a",
              "status": "affected",
              "version": "9ec03d7f1ed394897891319a4dda75f52c5d292d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vc4/vc4_kms.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: kms: Clear the HVS FIFO commit pointer once done\n\nCommit 9ec03d7f1ed3 (\"drm/vc4: kms: Wait on previous FIFO users before a\ncommit\") introduced a wait on the previous commit done on a given HVS\nFIFO.\n\nHowever, we never cleared that pointer once done. Since\ndrm_crtc_commit_put can free the drm_crtc_commit structure directly if\nwe were the last user, this means that it can lead to a use-after free\nif we were to duplicate the state, and that stale pointer would even be\ncopied to the new state.\n\nSet the pointer to NULL once we\u0027re done with the wait so that we don\u0027t\ncarry over a pointer to a free\u0027d structure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:44:19.504Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2931db9a5ed219546cf2ae0546698faf78281b89"
        },
        {
          "url": "https://git.kernel.org/stable/c/d134c5ff71c7f2320fc7997f2fbbdedf0c76889a"
        }
      ],
      "title": "drm/vc4: kms: Clear the HVS FIFO commit pointer once done",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47533",
    "datePublished": "2024-05-24T15:09:42.683Z",
    "dateReserved": "2024-05-24T15:02:54.826Z",
    "dateUpdated": "2024-12-19T07:44:19.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47533\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:16.773\",\"lastModified\":\"2024-11-21T06:36:28.440\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vc4: kms: Clear the HVS FIFO commit pointer once done\\n\\nCommit 9ec03d7f1ed3 (\\\"drm/vc4: kms: Wait on previous FIFO users before a\\ncommit\\\") introduced a wait on the previous commit done on a given HVS\\nFIFO.\\n\\nHowever, we never cleared that pointer once done. Since\\ndrm_crtc_commit_put can free the drm_crtc_commit structure directly if\\nwe were the last user, this means that it can lead to a use-after free\\nif we were to duplicate the state, and that stale pointer would even be\\ncopied to the new state.\\n\\nSet the pointer to NULL once we\u0027re done with the wait so that we don\u0027t\\ncarry over a pointer to a free\u0027d structure.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vc4: kms: borre el puntero de commit FIFO de HVS una vez realizado. El commit 9ec03d7f1ed3 (\\\"drm/vc4: kms: espere a los usuarios FIFO anteriores antes de una confirmaci\u00f3n\\\") introdujo una espera en el commit anterior realizada en un HVS FIFO determinado. Sin embargo, nunca borramos ese puntero una vez hecho. Dado que drm_crtc_commit_put puede liberar la estructura drm_crtc_commit directamente si fu\u00e9ramos el \u00faltimo usuario, esto significa que puede llevar a un  use-after free si duplic\u00e1ramos el estado, y ese puntero obsoleto incluso se copiar\u00eda al nuevo estado. Establezca el puntero en NULL una vez que hayamos terminado con la espera para que no transfiramos un puntero a una estructura liberada.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2931db9a5ed219546cf2ae0546698faf78281b89\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d134c5ff71c7f2320fc7997f2fbbdedf0c76889a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2931db9a5ed219546cf2ae0546698faf78281b89\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/d134c5ff71c7f2320fc7997f2fbbdedf0c76889a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.