CVE-2021-47469 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: spi: Fix deadlock when adding SPI controllers on SPI buses Currently we have a global spi_add_lock which we take when adding new devices so that we can check that we're not trying to reuse a chip select that's already controlled. This means that if the SPI device is itself a SPI controller and triggers the instantiation of further SPI devices we trigger a deadlock as we try to register and instantiate those devices while in the process of doing so for the parent controller and hence already holding the global spi_add_lock. Since we only care about concurrency within a single SPI bus move the lock to be per controller, avoiding the deadlock. This can be easily triggered in the case of spi-mux.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0
https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd
https://lore.kernel.org/linux-cve-announce/2024052227-CVE-2021-47469-00c0@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2021-47469
https://www.cve.org/CVERecord?id=CVE-2021-47469

History

Mon, 04 Nov 2024 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-22T06:23:27.629Z

Updated: 2024-11-04T12:06:33.143Z

Reserved: 2024-05-22T06:20:56.199Z

Link: CVE-2021-47469

Vulnrichment

Updated: 2024-08-04T05:39:59.480Z

NVD

Status : Awaiting Analysis

Published: 2024-05-22T07:15:11.690

Modified: 2024-05-22T12:46:53.887

Link: CVE-2021-47469

Redhat

Severity : Low

Publid Date: 2024-05-22T00:00:00Z

Links: CVE-2021-47469 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47469", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-22T06:20:56.199Z", "datePublished": "2024-05-22T06:23:27.629Z", "dateUpdated": "2024-11-04T12:06:33.143Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:06:33.143Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix deadlock when adding SPI controllers on SPI buses\n\nCurrently we have a global spi_add_lock which we take when adding new\ndevices so that we can check that we're not trying to reuse a chip\nselect that's already controlled. This means that if the SPI device is\nitself a SPI controller and triggers the instantiation of further SPI\ndevices we trigger a deadlock as we try to register and instantiate\nthose devices while in the process of doing so for the parent controller\nand hence already holding the global spi_add_lock. Since we only care\nabout concurrency within a single SPI bus move the lock to be per\ncontroller, avoiding the deadlock.\n\nThis can be easily triggered in the case of spi-mux."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c", "include/linux/spi/spi.h"], "versions": [{"version": "1da177e4c3f4", "lessThan": "722ef19a161c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "6098475d4cb4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi.c", "include/linux/spi/spi.h"], "versions": [{"version": "5.14.15", "lessThanOrEqual": "5.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd"}, {"url": "https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0"}], "title": "spi: Fix deadlock when adding SPI controllers on SPI buses", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-17T18:03:27.288931Z", "id": "CVE-2021-47469", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T18:03:45.404Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.480Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.480Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47469", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-17T18:03:27.288931Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T18:03:28.209Z"}}], "cna": {"title": "spi: Fix deadlock when adding SPI controllers on SPI buses", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "722ef19a161c", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "6098475d4cb4", "versionType": "git"}], "programFiles": ["drivers/spi/spi.c", "include/linux/spi/spi.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.14.15", "versionType": "semver", "lessThanOrEqual": "5.14.*"}, {"status": "unaffected", "version": "5.15", "versionType": "semver", "lessThanOrEqual": "*"}], "programFiles": ["drivers/spi/spi.c", "include/linux/spi/spi.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd"}, {"url": "https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0"}], "x_generator": {"engine": "bippy-c8e10e5f6187"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix deadlock when adding SPI controllers on SPI buses\n\nCurrently we have a global spi_add_lock which we take when adding new\ndevices so that we can check that we're not trying to reuse a chip\nselect that's already controlled. This means that if the SPI device is\nitself a SPI controller and triggers the instantiation of further SPI\ndevices we trigger a deadlock as we try to register and instantiate\nthose devices while in the process of doing so for the parent controller\nand hence already holding the global spi_add_lock. Since we only care\nabout concurrency within a single SPI bus move the lock to be per\ncontroller, avoiding the deadlock.\n\nThis can be easily triggered in the case of spi-mux."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T11:41:54.350Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47469", "state": "PUBLISHED", "dateUpdated": "2024-11-04T11:41:54.350Z", "dateReserved": "2024-05-22T06:20:56.199Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-22T06:23:27.629Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix deadlock when adding SPI controllers on SPI buses\n\nCurrently we have a global spi_add_lock which we take when adding new\ndevices so that we can check that we're not trying to reuse a chip\nselect that's already controlled. This means that if the SPI device is\nitself a SPI controller and triggers the instantiation of further SPI\ndevices we trigger a deadlock as we try to register and instantiate\nthose devices while in the process of doing so for the parent controller\nand hence already holding the global spi_add_lock. Since we only care\nabout concurrency within a single SPI bus move the lock to be per\ncontroller, avoiding the deadlock.\n\nThis can be easily triggered in the case of spi-mux."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: soluciona el punto muerto al agregar controladores SPI en buses SPI. Actualmente tenemos un spi_add_lock global que utilizamos cuando agregamos nuevos dispositivos para que podamos verificar que no estamos intentando reutilizar un selecci\u00f3n de chip que ya est\u00e1 controlado. Esto significa que si el dispositivo SPI es en s\u00ed mismo un controlador SPI y activa la creaci\u00f3n de instancias de otros dispositivos SPI, desencadenaremos un punto muerto cuando intentamos registrar y crear instancias de esos dispositivos mientras estamos en el proceso de hacerlo para el controlador principal y, por lo tanto, ya tenemos el control global. spi_add_lock. Dado que solo nos importa la concurrencia dentro de un \u00fanico bus SPI, mueva el bloqueo para que sea por controlador, evitando el punto muerto. Esto se puede activar f\u00e1cilmente en el caso de spi-mux."}], "id": "CVE-2021-47469", "lastModified": "2024-05-22T12:46:53.887", "metrics": {}, "published": "2024-05-22T07:15:11.690", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6098475d4cb48d821bdf453c61118c56e26294f0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/722ef19a161ce3fffb3d1b01ce2301c306639bdd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: spi: Fix deadlock when adding SPI controllers on SPI buses", "id": "2282886", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282886"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-833", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nspi: Fix deadlock when adding SPI controllers on SPI buses\nCurrently we have a global spi_add_lock which we take when adding new\ndevices so that we can check that we're not trying to reuse a chip\nselect that's already controlled. This means that if the SPI device is\nitself a SPI controller and triggers the instantiation of further SPI\ndevices we trigger a deadlock as we try to register and instantiate\nthose devices while in the process of doing so for the parent controller\nand hence already holding the global spi_add_lock. Since we only care\nabout concurrency within a single SPI bus move the lock to be per\ncontroller, avoiding the deadlock.\nThis can be easily triggered in the case of spi-mux."], "name": "CVE-2021-47469", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47469\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47469\nhttps://lore.kernel.org/linux-cve-announce/2024052227-CVE-2021-47469-00c0@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 5.14.15, kernel 5.15"}