CVE-2021-47387

{"id": "CVE-2021-47387", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:24.183", "references": [{"url": "https://git.kernel.org/stable/c/30d57cf2c4116ca6d34ecd1cac94ad84f8bc446c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/463c46705f321201090b69c4ad5da0cd2ce614c9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/67c98e023135ff81b8d52998a6fdb8ca0c518d82", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8d62aec52a8c5b1d25a2364b243fcc5098a2ede9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a7d4fc84404d45d72f4490417e8cc3efa4af93f1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cb4a53ba37532c861a5f3f22803391018a41849a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e5c6b312ce3cc97e90ea159446e6bfa06645364d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/30d57cf2c4116ca6d34ecd1cac94ad84f8bc446c", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/463c46705f321201090b69c4ad5da0cd2ce614c9", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/67c98e023135ff81b8d52998a6fdb8ca0c518d82", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8d62aec52a8c5b1d25a2364b243fcc5098a2ede9", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/a7d4fc84404d45d72f4490417e8cc3efa4af93f1", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/cb4a53ba37532c861a5f3f22803391018a41849a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/e5c6b312ce3cc97e90ea159446e6bfa06645364d", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-763"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: schedutil: Use kobject release() method to free sugov_tunables\n\nThe struct sugov_tunables is protected by the kobject, so we can't free\nit directly. Otherwise we would get a call trace like this:\n ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30\n WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100\n Modules linked in:\n CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507\n Hardware name: Marvell OcteonTX CN96XX board (DT)\n pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--)\n pc : debug_print_object+0xb8/0x100\n lr : debug_print_object+0xb8/0x100\n sp : ffff80001ecaf910\n x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80\n x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000\n x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20\n x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010\n x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365\n x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69\n x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0\n x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001\n x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000\n x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000\n Call trace:\n debug_print_object+0xb8/0x100\n __debug_check_no_obj_freed+0x1c0/0x230\n debug_check_no_obj_freed+0x20/0x88\n slab_free_freelist_hook+0x154/0x1c8\n kfree+0x114/0x5d0\n sugov_exit+0xbc/0xc0\n cpufreq_exit_governor+0x44/0x90\n cpufreq_set_policy+0x268/0x4a8\n store_scaling_governor+0xe0/0x128\n store+0xc0/0xf0\n sysfs_kf_write+0x54/0x80\n kernfs_fop_write_iter+0x128/0x1c0\n new_sync_write+0xf0/0x190\n vfs_write+0x2d4/0x478\n ksys_write+0x74/0x100\n __arm64_sys_write+0x24/0x30\n invoke_syscall.constprop.0+0x54/0xe0\n do_el0_svc+0x64/0x158\n el0_svc+0x2c/0xb0\n el0t_64_sync_handler+0xb0/0xb8\n el0t_64_sync+0x198/0x19c\n irq event stamp: 5518\n hardirqs last enabled at (5517): [<ffff8000100cbd7c>] console_unlock+0x554/0x6c8\n hardirqs last disabled at (5518): [<ffff800010fc0638>] el1_dbg+0x28/0xa0\n softirqs last enabled at (5504): [<ffff8000100106e0>] __do_softirq+0x4d0/0x6c0\n softirqs last disabled at (5483): [<ffff800010049548>] irq_exit+0x1b0/0x1b8\n\nSo split the original sugov_tunables_free() into two functions,\nsugov_clear_global_tunables() is just used to clear the global_tunables\nand the new sugov_tunables_free() is used as kobj_type::release to\nrelease the sugov_tunables safely."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cpufreq: schedutil: utilice el m\u00e9todo kobject release() para liberar sugov_tunables. La estructura sugov_tunables est\u00e1 protegida por kobject, por lo que no podemos liberarla directamente. De lo contrario, obtendr\u00edamos un seguimiento de llamada como este: ODEBUG: activo libre (estado activo 0) tipo de objeto: timer_list sugerencia: delay_work_timer_fn+0x0/0x30 ADVERTENCIA: CPU: 3 PID: 720 en lib/debugobjects.c:505 debug_print_object+0xb8/ 0x100 M\u00f3dulos vinculados en: CPU: 3 PID: 720 Comm: a.sh Contaminado: GW 5.14.0-rc1-next-20210715-yocto-standard+ #507 Nombre del hardware: Placa Marvell OcteonTX CN96XX (DT) pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) pc: debug_print_object+0xb8/0x100 lr: debug_print_object+0xb8/0x100 sp: ffff80001ecaf910 x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: d80 x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000 x23: ffff80001142aa68 x22 : ffff800011043d80 x21: ffff00010de46f20 x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010 x17: 6e6968207473696c x16: 656d6974203a x15: 6570797420746365 x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69 x11: ffff8000124b1560 x10: 0012331520 x9: ffff8000100ca6b0 x8: 000000000017ffe8 x7: c0000000fffeffff x6: 0000000000000001 x5: ffff800011d8c000 x4: ffff800011d8c740 x3: 0000000000000000 x2: ffff0001108301c0 x1: ab3c90eedf9c0f00 x0: 0000000000000000 Rastreo de llamadas: xb8/0x100 __debug_check_no_obj_freed+0x1c0/0x230 debug_check_no_obj_freed+0x20/0x88 slab_free_freelist_hook+0x154/0x1c8 kfree+0x114/0x5d0 sugov_exit+0xbc/ 0xc0 cpufreq_exit_governor+0x44/0x90 cpufreq_set_policy+0x268/0x4a8 store_scaling_governor+0xe0/0x128 store+0xc0/0xf0 sysfs_kf_write+0x54/0x80 kernfs_fop_write_iter+0x128/0x1c0 nuevo _sync_write+0xf0/0x190 vfs_write+0x2d4/0x478 ksys_write+0x74/0x100 __arm64_sys_write+0x24/ 0x30 invoke_syscall.constprop.0+0x54/0xe0 do_el0_svc+0x64/0x158 el0_svc+0x2c/0xb0 el0t_64_sync_handler+0xb0/0xb8 el0t_64_sync+0x198/0x19c sello de evento irq: 5518 hardirqs habilitado por \u00faltima vez en ( 5517): [] consola_unlock+ 0x554/0x6c8 hardirqs deshabilitado por \u00faltima vez en (5518): [] el1_dbg+0x28/0xa0 softirqs habilitado por \u00faltima vez en (5504): [] __do_softirq+0x4d0/0x6c0 softirqs deshabilitado por \u00faltima vez en (5483): ff800010049548 &gt;] irq_exit+0x1b0/0x1b8 Entonces divida el sugov_tunables_free() original en dos funciones, sugov_clear_global_tunables() solo se usa para borrar los global_tunables y el nuevo sugov_tunables_free() se usa como kobj_type::release para liberar los sugov_tunables de forma segura."}], "lastModified": "2025-09-25T15:38:17.343", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71D61395-0228-4BB6-9B08-38F445F83B82", "versionEndExcluding": "4.9.285", "versionStartIncluding": "4.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DFC8239-9F26-43B2-A340-8EFC6BC6BDA8", "versionEndExcluding": "4.14.249", "versionStartIncluding": "4.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21C23429-F802-4256-B3C2-9EEA76AC11FF", "versionEndExcluding": "4.19.209", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BFFC8E38-107A-4B6F-9FFD-9B2FD8B89EF0", "versionEndExcluding": "5.4.151", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60C740E4-6C54-40CD-A914-2232D8FC781D", "versionEndExcluding": "5.10.71", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A437B0D-8305-4C72-B691-D26986A126CF", "versionEndExcluding": "5.14.10", "versionStartIncluding": "5.11"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}