CVE-2021-47439

2024-05-2207:15:09

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux

kernel

vulnerability

net

dsa

microchip

module

condition

scheduling

ksz_mib_read_work

rmmod

crash

null pointer

dereference error

cancel_delayed_work_sync

unregister switch

dsa_unregister_switch

ksz_mac_link_down

reschedules

workqueue

mib_interval

dp->slave

ksz_switch_remove

reset

mib_interval

nvd

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: microchip: Added the condition for scheduling ksz_mib_read_work

When the ksz module is installed and removed using rmmod, kernel crashes
with null pointer dereferrence error. During rmmod, ksz_switch_remove
function tries to cancel the mib_read_workqueue using
cancel_delayed_work_sync routine and unregister switch from dsa.

During dsa_unregister_switch it calls ksz_mac_link_down, which in turn
reschedules the workqueue since mib_interval is non-zero.
Due to which queue executed after mib_interval and it tries to access
dp->slave. But the slave is unregistered in the ksz_switch_remove
function. Hence kernel crashes.

To avoid this crash, before canceling the workqueue, resetted the
mib_interval to 0.

v1 -> v2:
-Removed the if condition in ksz_mib_read_work

Affected configurations

Vulners

Node

linuxlinux_kernelRange5.7–5.10.75

linuxlinux_kernelRange5.11.0–5.14.14

linuxlinux_kernelRange5.15.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/dsa/microchip/ksz_common.c"
    ],
    "versions": [
      {
        "version": "469b390e1ba3",
        "lessThan": "f2e1de075018",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "469b390e1ba3",
        "lessThan": "383239a33cf2",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "469b390e1ba3",
        "lessThan": "ef1100ef20f2",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/dsa/microchip/ksz_common.c"
    ],
    "versions": [
      {
        "version": "5.7",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.7",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.75",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.14.14",
        "lessThanOrEqual": "5.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]