CVE-2021-47549 sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl

2024-05-2415:09:53

Linux

www.cve.org

linux kernel

uaf

sata_fsl

ppc64

vulnerability

gnu/linux

bug

sata_fsl.ko

rmmod

kernel access

stack

driver_detach

ioread32

hcr_base

kfree

host_stop

6.4 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl

When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,
a bug is reported:

BUG: Unable to handle kernel data access on read at 0x80000800805b502c
Oops: Kernel access of bad area, sig: 11 [#1]
NIP [c0000000000388a4] .ioread32+0x4/0x20
LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]
Call Trace:
.free_irq+0x1c/0x4e0 (unreliable)
.ata_host_stop+0x74/0xd0 [libata]
.release_nodes+0x330/0x3f0
.device_release_driver_internal+0x178/0x2c0
.driver_detach+0x64/0xd0
.bus_remove_driver+0x70/0xf0
.driver_unregister+0x38/0x80
.platform_driver_unregister+0x14/0x30
.fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
.__se_sys_delete_module+0x1ec/0x2d0
.system_call_exception+0xfc/0x1f0
system_call_common+0xf8/0x200

The triggering of the BUG is shown in the following stack:

driver_detach
device_release_driver_internal
__device_release_driver
drv->remove(dev) –> platform_drv_remove/platform_remove
drv->remove(dev) –> sata_fsl_remove
iounmap(host_priv->hcr_base); <---- unmap
kfree(host_priv); <---- free
devres_release_all
release_nodes
dr->node.release(dev, dr->data) –> ata_host_stop
ap->ops->port_stop(ap) –> sata_fsl_port_stop
ioread32(hcr_base + HCONTROL) <---- UAF
host->ops->host_stop(host)

The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should
not be executed in drv->remove. These functions should be executed in
host_stop after port_stop. Therefore, we move these functions to the
new function sata_fsl_host_stop and bind the new function to host_stop.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/ata/sata_fsl.c"
    ],
    "versions": [
      {
        "version": "faf0b2e5afe7",
        "lessThan": "cdcd80292106",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "faf0b2e5afe7",
        "lessThan": "91ba94d3f7af",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "faf0b2e5afe7",
        "lessThan": "325ea49fc43c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "faf0b2e5afe7",
        "lessThan": "0769449b0a5e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "faf0b2e5afe7",
        "lessThan": "77393806c76b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "faf0b2e5afe7",
        "lessThan": "4a46b2f5dce0",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "faf0b2e5afe7",
        "lessThan": "adf098e2a8a1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "faf0b2e5afe7",
        "lessThan": "6c8ad7e8cf29",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/ata/sata_fsl.c"
    ],
    "versions": [
      {
        "version": "2.6.24",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.24",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.4.294",
        "lessThanOrEqual": "4.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.9.292",
        "lessThanOrEqual": "4.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.14.257",
        "lessThanOrEqual": "4.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.220",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.164",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.84",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.7",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]