{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: Fix shift-out-of-bound (UBSAN) with byte size cells\n\nIf a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic\n\n *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);\n\nwill become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we\nsubtract one from that making a large number that is then shifted more than the\nnumber of bits that fit into an unsigned long.\n\nUBSAN reports this problem:\n\n UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8\n shift exponent 64 is too large for 64-bit type 'unsigned long'\n CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9\n Hardware name: Google Lazor (rev3+) with KB Backlight (DT)\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n dump_backtrace+0x0/0x170\n show_stack+0x24/0x30\n dump_stack_lvl+0x64/0x7c\n dump_stack+0x18/0x38\n ubsan_epilogue+0x10/0x54\n __ubsan_handle_shift_out_of_bounds+0x180/0x194\n __nvmem_cell_read+0x1ec/0x21c\n nvmem_cell_read+0x58/0x94\n nvmem_cell_read_variable_common+0x4c/0xb0\n nvmem_cell_read_variable_le_u32+0x40/0x100\n a6xx_gpu_init+0x170/0x2f4\n adreno_bind+0x174/0x284\n component_bind_all+0xf0/0x264\n msm_drm_bind+0x1d8/0x7a0\n try_to_bring_up_master+0x164/0x1ac\n __component_add+0xbc/0x13c\n component_add+0x20/0x2c\n dp_display_probe+0x340/0x384\n platform_probe+0xc0/0x100\n really_probe+0x110/0x304\n __driver_probe_device+0xb8/0x120\n driver_probe_device+0x4c/0xfc\n __device_attach_driver+0xb0/0x128\n bus_for_each_drv+0x90/0xdc\n __device_attach+0xc8/0x174\n device_initial_probe+0x20/0x2c\n bus_probe_device+0x40/0xa4\n deferred_probe_work_func+0x7c/0xb8\n process_one_work+0x128/0x21c\n process_scheduled_works+0x40/0x54\n worker_thread+0x1ec/0x2a8\n kthread+0x138/0x158\n ret_from_fork+0x10/0x20\n\nFix it by making sure there are any bits to mask out." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/nvmem/core.c" ], "versions": [ { "version": "69aba7948cbe", "lessThan": "abcb8d33e4d2", "status": "affected", "versionType": "git" }, { "version": "69aba7948cbe", "lessThan": "60df06bbdf49", "status": "affected", "versionType": "git" }, { "version": "69aba7948cbe", "lessThan": "2df6c0230502", "status": "affected", "versionType": "git" }, { "version": "69aba7948cbe", "lessThan": "eb0fc8e7170e", "status": "affected", "versionType": "git" }, { "version": "69aba7948cbe", "lessThan": "0594f1d048d8", "status": "affected", "versionType": "git" }, { "version": "69aba7948cbe", "lessThan": "57e48886401b", "status": "affected", "versionType": "git" }, { "version": "69aba7948cbe", "lessThan": "0e822e5413da", "status": "affected", "versionType": "git" }, { "version": "69aba7948cbe", "lessThan": "5d388fa01fa6", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/nvmem/core.c" ], "versions": [ { "version": "4.3", "status": "affected" }, { "version": "0", "lessThan": "4.3", "status": "unaffected", "versionType": "custom" }, { "version": "4.4.290", "lessThanOrEqual": "4.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.9.288", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.14.252", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.19.213", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.4.155", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.75", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.14.14", "lessThanOrEqual": "5.14.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/abcb8d33e4d2215ccde5ab5ccf9f730a59d79d97" }, { "url": "https://git.kernel.org/stable/c/60df06bbdf497e37ed25ad40572c362e5b0998df" }, { "url": "https://git.kernel.org/stable/c/2df6c023050205c4d04ffc121bc549f65cb8d1df" }, { "url": "https://git.kernel.org/stable/c/eb0fc8e7170e61eaf65d28dee4a8baf4e86b19ca" }, { "url": "https://git.kernel.org/stable/c/0594f1d048d8dc338eb9a240021b1d00ae1eb082" }, { "url": "https://git.kernel.org/stable/c/57e48886401b14cd351423fabfec2cfd18df4f66" }, { "url": "https://git.kernel.org/stable/c/0e822e5413da1af28cca350cb1cb42b6133bdcae" }, { "url": "https://git.kernel.org/stable/c/5d388fa01fa6eb310ac023a363a6cb216d9d8fe9" } ], "title": "nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2021-47497", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }