UBUNTU-CVE-2021-46959
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: spi: Fix use-after-free with devm_spi_alloc_* We can't rely on the contents of the devres list during spi_unregister_controller(), as the list is already torn down at the time we perform devres_find() for devm_spi_release_controller. This causes devices registered with devm_spi_alloc_{master,slave}() to be mistakenly identified as legacy, non-devm managed devices and have their reference counters decremented below 0. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174 [<b0396f04>] (refcount_warn_saturate) from [<b03c56a4>] (kobject_put+0x90/0x98) [<b03c5614>] (kobject_put) from [<b0447b4c>] (put_device+0x20/0x24) r4:b6700140 [<b0447b2c>] (put_device) from [<b07515e8>] (devm_spi_release_controller+0x3c/0x40) [<b07515ac>] (devm_spi_release_controller) from [<b045343c>] (release_nodes+0x84/0xc4) r5:b6700180 r4:b6700100 [<b04533b8>] (release_nodes) from [<b0454160>] (devres_release_all+0x5c/0x60) r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10 [<b0454104>] (devres_release_all) from [<b044e41c>] (__device_release_driver+0x144/0x1ec) r5:b117ad94 r4:b163dc10 [<b044e2d8>] (__device_release_driver) from [<b044f70c>] (device_driver_detach+0x84/0xa0) r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10 [<b044f688>] (device_driver_detach) from [<b044d274>] (unbind_store+0xe4/0xf8) Instead, determine the devm allocation state as a flag on the controller which is guaranteed to be stable during cleanup.
CVSS Metrics
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Systems
- ubuntu•linux
< 4.4.0-268.302 | < 4.15.0-151.157 | < 5.4.0-77.86
- ubuntu•linux-allwinner-5.19
all
- ubuntu•linux-aws
< 4.4.0-1143.149 | < 4.4.0-1181.196 | < 4.15.0-1109.116 | < 5.4.0-1051.53
- ubuntu•linux-aws-5.0
all
- ubuntu•linux-aws-5.11
all
- ubuntu•linux-aws-5.13
all
- ubuntu•linux-aws-5.19
all
- ubuntu•linux-aws-5.3
all
- ubuntu•linux-aws-5.4
< 5.4.0-1051.53~18.04.1
- ubuntu•linux-aws-5.8
all
- ubuntu•linux-aws-6.2
all
- ubuntu•linux-aws-fips
< 4.15.0-2051.53
- ubuntu•linux-aws-hwe
< 4.15.0-1109.116~16.04.1
- ubuntu•linux-azure
< 4.15.0-1121.134~14.04.1 | < 4.15.0-1121.134~16.04.1 | all | < 5.4.0-1051.53
- ubuntu•linux-azure-4.15
< 4.15.0-1121.134
- ubuntu•linux-azure-5.11
all
- ubuntu•linux-azure-5.13
all
- ubuntu•linux-azure-5.19
all
- ubuntu•linux-azure-5.3
all
- ubuntu•linux-azure-5.4
< 5.4.0-1051.53~18.04.1
- ubuntu•linux-azure-5.8
all
- ubuntu•linux-azure-6.2
all
- ubuntu•linux-azure-edge
all
- ubuntu•linux-azure-fde
all
- ubuntu•linux-azure-fde-5.19
all
- ubuntu•linux-azure-fde-6.2
all
- ubuntu•linux-azure-fips
< 4.15.0-2033.37
- ubuntu•linux-bluefield
< 5.4.0-1013.16 | all
- ubuntu•linux-fips
< 4.4.0-1113.120 | < 4.15.0-1066.75 | < 5.4.0-1028.32 | all
- ubuntu•linux-gcp
< 4.15.0-1106.120~16.04.1 | all | < 5.4.0-1046.49
- ubuntu•linux-gcp-4.15
< 4.15.0-1106.120
- ubuntu•linux-gcp-5.11
all
- ubuntu•linux-gcp-5.13
all
- ubuntu•linux-gcp-5.19
all
- ubuntu•linux-gcp-5.3
all
- ubuntu•linux-gcp-5.4
< 5.4.0-1046.49~18.04.1
- ubuntu•linux-gcp-5.8
all
- ubuntu•linux-gcp-6.2
all
- ubuntu•linux-gcp-fips
< 4.15.0-2016.18
- ubuntu•linux-gke
all
- ubuntu•linux-gke-4.15
all
- ubuntu•linux-gke-5.15
all
- ubuntu•linux-gke-5.4
all
- ubuntu•linux-gkeop
< 5.4.0-1018.19
- ubuntu•linux-gkeop-5.4
all
- ubuntu•linux-hwe
< 4.15.0-151.157~16.04.1 | all
- ubuntu•linux-hwe-5.11
all
- ubuntu•linux-hwe-5.13
all
- ubuntu•linux-hwe-5.19
all
- ubuntu•linux-hwe-5.4
< 5.4.0-77.86~18.04.1
Showing first 50 affected entries in server-rendered view.
References (7)
- https://ubuntu.com/security/CVE-2021-46959
- https://git.kernel.org/linus/794aaf01444d4e765e2b067cba01cc69c1c68ed9
- https://www.cve.org/CVERecord?id=CVE-2021-46959
- https://ubuntu.com/security/notices/USN-7506-1
- https://ubuntu.com/security/notices/USN-7506-2
- https://ubuntu.com/security/notices/USN-7506-3
- https://ubuntu.com/security/notices/USN-7506-4