cve/published/2021/CVE-2021-47533.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: kms: Clear the HVS FIFO commit pointer once done\n\nCommit 9ec03d7f1ed3 (\"drm/vc4: kms: Wait on previous FIFO users before a\ncommit\") introduced a wait on the previous commit done on a given HVS\nFIFO.\n\nHowever, we never cleared that pointer once done. Since\ndrm_crtc_commit_put can free the drm_crtc_commit structure directly if\nwe were the last user, this means that it can lead to a use-after free\nif we were to duplicate the state, and that stale pointer would even be\ncopied to the new state.\n\nSet the pointer to NULL once we're done with the wait so that we don't\ncarry over a pointer to a free'd structure."
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/gpu/drm/vc4/vc4_kms.c"
                ],
                "versions": [
                   {
                      "version": "9ec03d7f1ed394897891319a4dda75f52c5d292d",
                      "lessThan": "2931db9a5ed219546cf2ae0546698faf78281b89",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "9ec03d7f1ed394897891319a4dda75f52c5d292d",
                      "lessThan": "d134c5ff71c7f2320fc7997f2fbbdedf0c76889a",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/gpu/drm/vc4/vc4_kms.c"
                ],
                "versions": [
                   {
                      "version": "5.12",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "5.12",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15.7",
                      "lessThanOrEqual": "5.15.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.16",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.12",
                            "versionEndExcluding": "5.15.7"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "5.12",
                            "versionEndExcluding": "5.16"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/2931db9a5ed219546cf2ae0546698faf78281b89"
             },
             {
                "url": "https://git.kernel.org/stable/c/d134c5ff71c7f2320fc7997f2fbbdedf0c76889a"
             }
          ],
          "title": "drm/vc4: kms: Clear the HVS FIFO commit pointer once done",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2021-47533",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: kms: Clear the HVS FIFO commit pointer once done\n\nCommit 9ec03d7f1ed3 (\"drm/vc4: kms: Wait on previous FIFO users before a\ncommit\") introduced a wait on the previous commit done on a given HVS\nFIFO.\n\nHowever, we never cleared that pointer once done. Since\ndrm_crtc_commit_put can free the drm_crtc_commit structure directly if\nwe were the last user, this means that it can lead to a use-after free\nif we were to duplicate the state, and that stale pointer would even be\ncopied to the new state.\n\nSet the pointer to NULL once we're done with the wait so that we don't\ncarry over a pointer to a free'd structure."
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/gpu/drm/vc4/vc4_kms.c"
	],
	"versions": [
	{
	"version": "9ec03d7f1ed394897891319a4dda75f52c5d292d",
	"lessThan": "2931db9a5ed219546cf2ae0546698faf78281b89",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "9ec03d7f1ed394897891319a4dda75f52c5d292d",
	"lessThan": "d134c5ff71c7f2320fc7997f2fbbdedf0c76889a",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/gpu/drm/vc4/vc4_kms.c"
	],
	"versions": [
	{
	"version": "5.12",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "5.12",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15.7",
	"lessThanOrEqual": "5.15.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.16",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.12",
	"versionEndExcluding": "5.15.7"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "5.12",
	"versionEndExcluding": "5.16"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/2931db9a5ed219546cf2ae0546698faf78281b89"
	},
	{
	"url": "https://git.kernel.org/stable/c/d134c5ff71c7f2320fc7997f2fbbdedf0c76889a"
	}
	],
	"title": "drm/vc4: kms: Clear the HVS FIFO commit pointer once done",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2021-47533",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}