| The Linux kernel vulnerability CVE-2021-47368 is related to illegal access when reading the `affinity_hint` in the `enetc` driver. The issue arises because the `irq_set_affinity_hit()` function stores a reference to the `cpumask_t` parameter in the irq descriptor, which can be accessed later from `irq_affinity_hint_proc_show()`. However, the `cpu_mask` parameter passed to `irq_set_affinity_hit()` has only temporary storage on the stack memory. Therefore, later accesses to it are illegal and can result in paging request oops when reading from the corresponding procfs `affinity_hint` file. |
| |
| The vulnerability is fixed by introducing a `get_cpu_mask()` helper function that provides permanent storage for the `cpumask_t` parameter. This ensures that the reference to the `cpu_mask` parameter remains valid even after the initial function call has returned. |
| |
| The issue was introduced in Linux kernel version 5.1 with commit `d4fd0404c1c9` and fixed in various versions, including 5.4.150 with commit `4c4c3052911b`, 5.10.70 with commit `6c3f1b741c6c`, 5.14.9 with commit `6f329d9da2a5`, and 5.15 with commit `7237a494decf`. The affected file is `drivers/net/ethernet/freescale/enetc/enetc.c`. |
| |
