CVE-2021-47095

ipmi: ssif: initialize ssif_info->client early

Severity Score

5.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However,
it is set when some of the error checking has already been done. This
causes following kernel crash if an error path is taken: [ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present
[ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
...
[ 30.657723][ T674] pc : __dev_printk+0x28/0xa0
[ 30.657732][ T674] lr : _dev_err+0x7c/0xa0
...
[ 30.657772][ T674] Call trace:
[ 30.657775][ T674] __dev_printk+0x28/0xa0
[ 30.657778][ T674] _dev_err+0x7c/0xa0
[ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e]
[ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0
... Initialize ssif_info->client before any error path can be taken. Clear
i2c_client data in the error path to prevent the dangling pointer from
leaking.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ipmi: ssif: inicializa ssif_info->client temprano Durante la sonda, ssif_info->client se desreferencia en la ruta de error. Sin embargo, se establece cuando ya se ha realizado parte de la verificación de errores. Esto provoca el siguiente fallo del kernel si se toma una ruta de error: [30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: No sondeando, la interfaz ya está presente [30.657616][ T674] No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000088. [ 30.657723][ T674] pc : __dev_printk+0x28/0xa0 [ 30.657732][ T674] lr : _dev_err+0x7c/0xa0 ... [ 30.657772][ T674] Rastreo de llamadas: [ 30.657775][ T674] __dev_printk+0x28/0 xa0 [ 30.657778][ T674] _dev_err+0x7c/0xa0 [ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] [ 30.65779 1][T674] i2c_device_probe+0x37c/0x3c0... Inicialice ssif_info->client antes de que pueda aparecer cualquier ruta de error. ser tomado. Borre los datos de i2c_client en la ruta del error para evitar que se filtre el puntero colgante.

In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This causes following kernel crash if an error path is taken: [ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present [ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 ... [ 30.657723][ T674] pc : __dev_printk+0x28/0xa0 [ 30.657732][ T674] lr : _dev_err+0x7c/0xa0 ... [ 30.657772][ T674] Call trace: [ 30.657775][ T674] __dev_printk+0x28/0xa0 [ 30.657778][ T674] _dev_err+0x7c/0xa0 [ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] [ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0 ... Initialize ssif_info->client before any error path can be taken. Clear i2c_client data in the error path to prevent the dangling pointer from leaking.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-29 CVE Reserved
2024-03-04 CVE Published
2024-12-19 CVE Updated
2025-03-29 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8efd6a3391f7b0b19fb0c38e50add06ca30c94af	2021-12-29
https://git.kernel.org/stable/c/1f6ab847461ce7dd89ae9db2dd4658c993355d7c	2021-12-29
https://git.kernel.org/stable/c/77a7311ca167aa5b7055c549a940a56e73ee5f29	2021-12-29
https://git.kernel.org/stable/c/34f35f8f14bc406efc06ee4ff73202c6fd245d15	2021-12-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4 < 5.4.169 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.4.169"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4 < 5.10.89 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.10.89"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4 < 5.15.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.15.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4 < 5.16"		en		Affected