CVE-2021-47469

spi: Fix deadlock when adding SPI controllers on SPI buses

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

spi: Fix deadlock when adding SPI controllers on SPI buses

Currently we have a global spi_add_lock which we take when adding new
devices so that we can check that we're not trying to reuse a chip
select that's already controlled. This means that if the SPI device is
itself a SPI controller and triggers the instantiation of further SPI
devices we trigger a deadlock as we try to register and instantiate
those devices while in the process of doing so for the parent controller
and hence already holding the global spi_add_lock. Since we only care
about concurrency within a single SPI bus move the lock to be per
controller, avoiding the deadlock.

This can be easily triggered in the case of spi-mux.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: soluciona el punto muerto al agregar controladores SPI en buses SPI. Actualmente tenemos un spi_add_lock global que utilizamos cuando agregamos nuevos dispositivos para que podamos verificar que no estamos intentando reutilizar un selección de chip que ya está controlado. Esto significa que si el dispositivo SPI es en sí mismo un controlador SPI y activa la creación de instancias de otros dispositivos SPI, desencadenaremos un punto muerto cuando intentamos registrar y crear instancias de esos dispositivos mientras estamos en el proceso de hacerlo para el controlador principal y, por lo tanto, ya tenemos el control global. spi_add_lock. Dado que solo nos importa la concurrencia dentro de un único bus SPI, mueva el bloqueo para que sea por controlador, evitando el punto muerto. Esto se puede activar fácilmente en el caso de spi-mux.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-22 CVE Reserved
2024-05-22 CVE Published
2024-11-17 CVE Updated
2024-11-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/aa3f3d7bef59583f2d3234173105a27ff61ef8fe	2024-11-17
https://git.kernel.org/stable/c/c8dce228db6f81dbc897a018dfc5c418e917cf64	2024-11-17
https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd	2021-10-27
https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0	2021-10-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.286 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.286"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.230 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.230"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.14.15 Search vendor "Linux" for product "Linux Kernel" and version " < 5.14.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15"		en		Affected