CVE-2021-47549
- Source
- https://cve.org/CVERecord?id=CVE-2021-47549
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47549.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-47549
- Downstream
- Related
- Published
- 2024-05-24T15:15:19.773Z
- Modified
- 2026-03-15T22:43:15.207500Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
satafsl: fix UAF in satafslportstop when rmmod sata_fsl
When the
rmmod sata_fsl.kocommand is executed in the PPC64 GNU/Linux, a bug is reported: ================================================================== BUG: Unable to handle kernel data access on read at 0x80000800805b502c Oops: Kernel access of bad area, sig: 11 [#1] NIP [c0000000000388a4] .ioread32+0x4/0x20 LR [80000000000c6034] .satafslportstop+0x44/0xe0 [satafsl] Call Trace: .freeirq+0x1c/0x4e0 (unreliable) .atahoststop+0x74/0xd0 [libata] .releasenodes+0x330/0x3f0 .devicereleasedriverinternal+0x178/0x2c0 .driverdetach+0x64/0xd0 .busremovedriver+0x70/0xf0 .driverunregister+0x38/0x80 .platformdriverunregister+0x14/0x30 .fslsatadriverexit+0x18/0xa20 [satafsl] .sesysdeletemodule+0x1ec/0x2d0 .systemcallexception+0xfc/0x1f0 systemcallcommon+0xf8/0x200 ==================================================================The triggering of the BUG is shown in the following stack:
driverdetach devicereleasedriverinternal _devicereleasedriver drv->remove(dev) --> platformdrvremove/platformremove drv->remove(dev) --> satafslremove iounmap(hostpriv->hcrbase); <---- unmap kfree(hostpriv); <---- free devresreleaseall releasenodes dr->node.release(dev, dr->data) --> atahoststop ap->ops->portstop(ap) --> satafslportstop ioread32(hcrbase + HCONTROL) <---- UAF host->ops->hoststop(host)
The iounmap(hostpriv->hcrbase) and kfree(hostpriv) functions should not be executed in drv->remove. These functions should be executed in hoststop after portstop. Therefore, we move these functions to the new function satafslhoststop and bind the new function to host_stop.
- References
-
- https://git.kernel.org/stable/c/6c8ad7e8cf29eb55836e7a0215f967746ab2b504
- https://git.kernel.org/stable/c/77393806c76b6b44f1c44bd957788c8bd9152c45
- https://git.kernel.org/stable/c/91ba94d3f7afca195b224f77a72044fbde1389ce
- https://git.kernel.org/stable/c/adf098e2a8a1e1fc075d6a5ba2edd13cf7189082
- https://git.kernel.org/stable/c/cdcd80292106df5cda325426e96495503e41f947
- https://git.kernel.org/stable/c/0769449b0a5eabc3545337217ae690e46673e73a
- https://git.kernel.org/stable/c/325ea49fc43cbc03a5e1e37de8f0ca6357ced4b1
- https://git.kernel.org/stable/c/4a46b2f5dce02539e88a300800812bd24a45e097
Affected packages
Git /
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47549.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "2.6.24"
},
{
"fixed": "4.4.294"
}
]
},
{
"events": [
{
"introduced": "4.5"
},
{
"fixed": "4.9.292"
}
]
},
{
"events": [
{
"introduced": "4.10"
},
{
"fixed": "4.14.257"
}
]
},
{
"events": [
{
"introduced": "4.15"
},
{
"fixed": "4.19.220"
}
]
},
{
"events": [
{
"introduced": "4.20"
},
{
"fixed": "5.4.164"
}
]
},
{
"events": [
{
"introduced": "5.5"
},
{
"fixed": "5.10.84"
}
]
},
{
"events": [
{
"introduced": "5.11"
},
{
"fixed": "5.15.7"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.16-rc1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.16-rc2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.16-rc3"
}
]
}
]