| The vulnerability, tracked as CVE-2021-47456, is a use-after-free (UAF) issue in the Linux kernel's peak_pci_remove() function. This function is responsible for removing the peak_pci module. |
| |
| When the peak_pci module is removed, the 'chan' variable is referenced again after releasing the 'dev' variable, leading to a UAF scenario. This occurs because the 'dev' variable is released too early, allowing the 'chan' variable to access already freed memory. |
| |
| The issue was discovered through a KASAN (Kernel Address Sanitizer) report, which revealed a read of size 8 at an address that had already been freed. The call trace showed that the peak_pci_remove() function was accessing the freed memory. |
| |
| To fix this vulnerability, the 'dev' variable is released later in the peak_pci_remove() function, preventing the UAF scenario. |
| |
| The issue was introduced in kernel version 3.4 and was fixed in various subsequent versions, including 4.4.290, 4.9.288, 4.14.253, 4.19.214, 5.4.156, 5.10.76, and 5.15. |
| |
| The affected file is drivers/net/can/sja1000/peak_pci.c. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, as individual changes are not tested or supported by the kernel community. |
| |
