CVE-2021-47497
- Source
- https://cve.org/CVERecord?id=CVE-2021-47497
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47497.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-47497
- Downstream
- Related
- Published
- 2024-05-22T09:15:11.513Z
- Modified
- 2026-03-15T22:43:14.874365Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
If a cell has 'nbits' equal to a multiple of BITSPERBYTE the logic
*p &= GENMASK((cell->nbits%BITSPERBYTE) - 1, 0);
will become undefined behavior because nbits modulo BITSPERBYTE is 0, and we subtract one from that making a large number that is then shifted more than the number of bits that fit into an unsigned long.
UBSAN reports this problem:
UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8 shift exponent 64 is too large for 64-bit type 'unsigned long' CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9 Hardware name: Google Lazor (rev3+) with KB Backlight (DT) Workqueue: eventsunbound deferredprobeworkfunc Call trace: dumpbacktrace+0x0/0x170 showstack+0x24/0x30 dumpstacklvl+0x64/0x7c dumpstack+0x18/0x38 ubsanepilogue+0x10/0x54 __ubsanhandleshift_outofbounds+0x180/0x194 __nvmemcellread+0x1ec/0x21c nvmemcellread+0x58/0x94 nvmemcellreadvariablecommon+0x4c/0xb0 nvmemcellreadvariableleu32+0x40/0x100 a6xxgpuinit+0x170/0x2f4 adrenobind+0x174/0x284 componentbindall+0xf0/0x264 msmdrmbind+0x1d8/0x7a0 trytobringupmaster+0x164/0x1ac __componentadd+0xbc/0x13c componentadd+0x20/0x2c dpdisplayprobe+0x340/0x384 platformprobe+0xc0/0x100 reallyprobe+0x110/0x304 __driverprobedevice+0xb8/0x120 driverprobedevice+0x4c/0xfc __deviceattachdriver+0xb0/0x128 busforeach_drv+0x90/0xdc _deviceattach+0xc8/0x174 deviceinitialprobe+0x20/0x2c busprobedevice+0x40/0xa4 deferredprobeworkfunc+0x7c/0xb8 processonework+0x128/0x21c processscheduledworks+0x40/0x54 workerthread+0x1ec/0x2a8 kthread+0x138/0x158 retfromfork+0x10/0x20
Fix it by making sure there are any bits to mask out.
- References
-
- https://git.kernel.org/stable/c/60df06bbdf497e37ed25ad40572c362e5b0998df
- https://git.kernel.org/stable/c/abcb8d33e4d2215ccde5ab5ccf9f730a59d79d97
- https://git.kernel.org/stable/c/eb0fc8e7170e61eaf65d28dee4a8baf4e86b19ca
- https://git.kernel.org/stable/c/0594f1d048d8dc338eb9a240021b1d00ae1eb082
- https://git.kernel.org/stable/c/0e822e5413da1af28cca350cb1cb42b6133bdcae
- https://git.kernel.org/stable/c/2df6c023050205c4d04ffc121bc549f65cb8d1df
- https://git.kernel.org/stable/c/57e48886401b14cd351423fabfec2cfd18df4f66
- https://git.kernel.org/stable/c/5d388fa01fa6eb310ac023a363a6cb216d9d8fe9
Affected packages
Git /
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47497.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "4.3"
},
{
"fixed": "4.4.290"
}
]
},
{
"events": [
{
"introduced": "4.5"
},
{
"fixed": "4.9.288"
}
]
},
{
"events": [
{
"introduced": "4.10"
},
{
"fixed": "4.14.252"
}
]
},
{
"events": [
{
"introduced": "4.15"
},
{
"fixed": "4.19.213"
}
]
},
{
"events": [
{
"introduced": "4.20"
},
{
"fixed": "5.4.155"
}
]
},
{
"events": [
{
"introduced": "5.5"
},
{
"fixed": "5.10.75"
}
]
},
{
"events": [
{
"introduced": "5.11"
},
{
"fixed": "5.14.14"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.15-rc1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.15-rc2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.15-rc3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.15-rc4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.15-rc5"
}
]
}
]