ghsa-pcwf-v3ph-3p9v
Vulnerability from github
Published
2024-05-21 15:31
Modified
2024-07-03 18:42
Severity
4.7 (Medium) - CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

isdn: mISDN: netjet: Fix crash in nj_probe:

'nj_setup' in netjet.c might fail with -EIO and in this case 'card->irq' is initialized and is bigger than zero. A subsequent call to 'nj_release' will free the irq that has not been requested.

Fix this bug by deleting the previous assignment to 'card->irq' and just keep the assignment before 'request_irq'.

The KASAN's log reveals it:

[ 3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826 free_irq+0x100/0x480 [ 3.355112 ] Modules linked in: [ 3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc1-00144-g25a1298726e #13 [ 3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.356552 ] RIP: 0010:free_irq+0x100/0x480 [ 3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80 [ 3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082 [ 3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX: 0000000000000000 [ 3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI: 00000000ffffffff [ 3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09: 0000000000000000 [ 3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12: 0000000000000000 [ 3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15: ffff888104dc80a8 [ 3.360652 ] FS: 0000000000000000(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 [ 3.361170 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4: 00000000000006f0 [ 3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3.362175 ] Call Trace: [ 3.362175 ] nj_release+0x51/0x1e0 [ 3.362175 ] nj_probe+0x450/0x950 [ 3.362175 ] ? pci_device_remove+0x110/0x110 [ 3.362175 ] local_pci_probe+0x45/0xa0 [ 3.362175 ] pci_device_probe+0x12b/0x1d0 [ 3.362175 ] really_probe+0x2a9/0x610 [ 3.362175 ] driver_probe_device+0x90/0x1d0 [ 3.362175 ] ? mutex_lock_nested+0x1b/0x20 [ 3.362175 ] device_driver_attach+0x68/0x70 [ 3.362175 ] __driver_attach+0x124/0x1b0 [ 3.362175 ] ? device_driver_attach+0x70/0x70 [ 3.362175 ] bus_for_each_dev+0xbb/0x110 [ 3.362175 ] ? rdinit_setup+0x45/0x45 [ 3.362175 ] driver_attach+0x27/0x30 [ 3.362175 ] bus_add_driver+0x1eb/0x2a0 [ 3.362175 ] driver_register+0xa9/0x180 [ 3.362175 ] __pci_register_driver+0x82/0x90 [ 3.362175 ] ? w6692_init+0x38/0x38 [ 3.362175 ] nj_init+0x36/0x38 [ 3.362175 ] do_one_initcall+0x7f/0x3d0 [ 3.362175 ] ? rdinit_setup+0x45/0x45 [ 3.362175 ] ? rcu_read_lock_sched_held+0x4f/0x80 [ 3.362175 ] kernel_init_freeable+0x2aa/0x301 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] kernel_init+0x18/0x190 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] ret_from_fork+0x1f/0x30 [ 3.362175 ] Kernel panic - not syncing: panic_on_warn set ... [ 3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc1-00144-g25a1298726e #13 [ 3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.362175 ] Call Trace: [ 3.362175 ] dump_stack+0xba/0xf5 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] panic+0x15a/0x3f2 [ 3.362175 ] ? __warn+0xf2/0x150 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] __warn+0x108/0x150 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] report_bug+0x119/0x1c0 [ 3.362175 ] handle_bug+0x3b/0x80 [ 3.362175 ] exc_invalid_op+0x18/0x70 [ 3.362175 ] asm_exc_invalid_op+0x12/0x20 [ 3.362175 ] RIP: 0010:free_irq+0x100 ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: netjet: Fix crash in nj_probe:\n\n\u0027nj_setup\u0027 in netjet.c might fail with -EIO and in this case\n\u0027card-\u003eirq\u0027 is initialized and is bigger than zero. A subsequent call to\n\u0027nj_release\u0027 will free the irq that has not been requested.\n\nFix this bug by deleting the previous assignment to \u0027card-\u003eirq\u0027 and just\nkeep the assignment before \u0027request_irq\u0027.\n\nThe KASAN\u0027s log reveals it:\n\n[    3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826\nfree_irq+0x100/0x480\n[    3.355112 ] Modules linked in:\n[    3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[    3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[    3.356552 ] RIP: 0010:free_irq+0x100/0x480\n[    3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18\n4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5\nff \u003c0f\u003e 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80\n[    3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082\n[    3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX:\n0000000000000000\n[    3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI:\n00000000ffffffff\n[    3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09:\n0000000000000000\n[    3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12:\n0000000000000000\n[    3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15:\nffff888104dc80a8\n[    3.360652 ] FS:  0000000000000000(0000) GS:ffff88817bc00000(0000)\nknlGS:0000000000000000\n[    3.361170 ] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4:\n00000000000006f0\n[    3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[    3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[    3.362175 ] Call Trace:\n[    3.362175 ]  nj_release+0x51/0x1e0\n[    3.362175 ]  nj_probe+0x450/0x950\n[    3.362175 ]  ? pci_device_remove+0x110/0x110\n[    3.362175 ]  local_pci_probe+0x45/0xa0\n[    3.362175 ]  pci_device_probe+0x12b/0x1d0\n[    3.362175 ]  really_probe+0x2a9/0x610\n[    3.362175 ]  driver_probe_device+0x90/0x1d0\n[    3.362175 ]  ? mutex_lock_nested+0x1b/0x20\n[    3.362175 ]  device_driver_attach+0x68/0x70\n[    3.362175 ]  __driver_attach+0x124/0x1b0\n[    3.362175 ]  ? device_driver_attach+0x70/0x70\n[    3.362175 ]  bus_for_each_dev+0xbb/0x110\n[    3.362175 ]  ? rdinit_setup+0x45/0x45\n[    3.362175 ]  driver_attach+0x27/0x30\n[    3.362175 ]  bus_add_driver+0x1eb/0x2a0\n[    3.362175 ]  driver_register+0xa9/0x180\n[    3.362175 ]  __pci_register_driver+0x82/0x90\n[    3.362175 ]  ? w6692_init+0x38/0x38\n[    3.362175 ]  nj_init+0x36/0x38\n[    3.362175 ]  do_one_initcall+0x7f/0x3d0\n[    3.362175 ]  ? rdinit_setup+0x45/0x45\n[    3.362175 ]  ? rcu_read_lock_sched_held+0x4f/0x80\n[    3.362175 ]  kernel_init_freeable+0x2aa/0x301\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  kernel_init+0x18/0x190\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  ? rest_init+0x2c0/0x2c0\n[    3.362175 ]  ret_from_fork+0x1f/0x30\n[    3.362175 ] Kernel panic - not syncing: panic_on_warn set ...\n[    3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[    3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[    3.362175 ] Call Trace:\n[    3.362175 ]  dump_stack+0xba/0xf5\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  panic+0x15a/0x3f2\n[    3.362175 ]  ? __warn+0xf2/0x150\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  __warn+0x108/0x150\n[    3.362175 ]  ? free_irq+0x100/0x480\n[    3.362175 ]  report_bug+0x119/0x1c0\n[    3.362175 ]  handle_bug+0x3b/0x80\n[    3.362175 ]  exc_invalid_op+0x18/0x70\n[    3.362175 ]  asm_exc_invalid_op+0x12/0x20\n[    3.362175 ] RIP: 0010:free_irq+0x100\n---truncated---",
  "id": "GHSA-pcwf-v3ph-3p9v",
  "modified": "2024-07-03T18:42:45Z",
  "published": "2024-05-21T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47284"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/143fc7220961220eecc04669e5909af8847bf8c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c1fcb6ec964b44edbf84235134582a5ffae1521"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6249193e03709ea625e10706ecaf17fea0427d3d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/958cb1078ca60d214826fd90a0961a447fade59a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d7d4649dc1c53acf76df260fd519db698ed20d7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f6f852550d0e1b7735651228116ae9d300f69b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0a37e4454ca1c0b424edc2c9c2487c2c46a1be6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf78e25bd3f487208e042c67c8a31706c2dba265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.