CVE-2021-47439

net: dsa: microchip: Added the condition for scheduling ksz_mib_read_work

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: microchip: Added the condition for scheduling ksz_mib_read_work

When the ksz module is installed and removed using rmmod, kernel crashes
with null pointer dereferrence error. During rmmod, ksz_switch_remove
function tries to cancel the mib_read_workqueue using
cancel_delayed_work_sync routine and unregister switch from dsa.

During dsa_unregister_switch it calls ksz_mac_link_down, which in turn
reschedules the workqueue since mib_interval is non-zero.
Due to which queue executed after mib_interval and it tries to access
dp->slave. But the slave is unregistered in the ksz_switch_remove
function. Hence kernel crashes.

To avoid this crash, before canceling the workqueue, resetted the
mib_interval to 0.

v1 -> v2:
-Removed the if condition in ksz_mib_read_work

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: dsa: microchip: se agregó la condición para programar ksz_mib_read_work Cuando el módulo ksz se instala y elimina usando rmmod, el kernel falla con un error de desreferencia de puntero nulo. Durante rmmod, la función ksz_switch_remove intenta cancelar mib_read_workqueue usando la rutina cancel_delayed_work_sync y cancelar el registro del conmutador de dsa. Durante dsa_unregister_switch llama a ksz_mac_link_down, que a su vez reprograma la cola de trabajo ya que mib_interval no es cero. Debido a qué cola se ejecutó después de mib_interval e intenta acceder a dp->slave. Pero el esclavo no está registrado en la función ksz_switch_remove. Por lo tanto, el kernel falla. Para evitar este bloqueo, antes de cancelar la cola de trabajo, restableció mib_interval a 0. v1 -> v2: -Se eliminó la condición if en ksz_mib_read_work

*Credits: N/A

CVSS Scores

CISAv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-22 CVE Published
2024-05-22 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/469b390e1ba330e888175e55d78573db2e9a8cb4	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f2e1de075018cf71bcd7d628e9f759cb8540b0c3	2021-10-20
https://git.kernel.org/stable/c/383239a33cf29ebee9ce0d4e0e5c900b77a16148	2021-10-20
https://git.kernel.org/stable/c/ef1100ef20f29aec4e62abeccdb5bdbebba1e378	2021-10-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.10.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.10.75"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.14.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.14.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.15"		en		Affected