CVE-2021-46976 in Linuxالمعلومات

الملخص

بحسب VulDB • 20/06/2026

Based on the kernel log snippet provided, here is an analysis of the crash and potential causes.

### **1. Summary of the Crash** * **Type:** Kernel Oops/Panic (indicated by `WARNING kernel` and the call trace). * **Timestamp:** `2021-04-24T18:03:53.804324Z` * **CPU State:** * `CR0: 0000000080050033` (Standard control register state) * `CR2: 0000239514955000` **← Critical**: This is the **faulting virtual address**. The kernel tried to access this memory address and failed (likely a NULL pointer dereference or invalid memory access). * `CR3: 00000007f82da001` (Page table base) * `CR4: 0000000000760ee0` * **Call Trace:** ``` __active_retire+0x77/0xcf process_one_work+0x1da/0x394 worker_thread+0x216/0x375 kthread+0x147/0x156 ```

### **2. Key Analysis**

#### **A. The Faulting Address (`CR2`)** * `CR2: 0000239514955000` * This address is **not NULL** (`0x0`), so it’s not a simple NULL pointer dereference. * It is a high virtual address, which suggests it might be: * A corrupted pointer. * An unmapped kernel memory region. * A user-space address mistakenly accessed in kernel mode (if `CR4` doesn’t have `CR4.PKE` enabled, but `PKRU` is set, so protection keys are in use).

#### **B. The Call Trace** The crash occurred in `__active_retire`, which is part of the **kernel workqueue subsystem**. * `process_one_work`: The kernel worker thread is processing a work item. * `__active_retire`: This function is called when a work item is being retired (completed). The crash likely happens when the kernel tries to access data structures associated with the work item after it has been freed or corrupted.

#### **C. Loaded Modules** The `Modules linked in` list shows a **Chromebook/ChromeOS** kernel with: * **Audio:** `snd_soc_sof_*`, `snd_soc_rt5682`, `snd_soc_max98373` (Intel Sound Open Firmware drivers). * **Camera/Sensors:** `ov2740`, `ov8856`, `at24`, `sx9310`, `cros_ec_sensors`, `cros_ec_light_prox`. * **USB/Network:** `cdc_mbim`, `cdc_ncm`, `cdc_wdm`. * **Input:** `uinput`, `cros_ec_typec`.

### **3. Likely Causes**

1. **Race Condition in Workqueue:** * The crash in `__active_retire` suggests a **use-after-free** or **double-free** issue. A work item was freed, but the kernel still tried to access it during retirement. * This is common in drivers that schedule work items without proper synchronization.

2. **Driver Bug in Audio or Sensor Drivers:** * Given the heavy presence of `snd_soc_sof_*` and `cros_ec_*` drivers, one of these is likely the culprit. * **SOF (Sound Open Firmware):** Known to have complex workqueue interactions. If the firmware crashes or resets, it might leave dangling work items. * **Cros EC Sensors:** The lid angle, light proximity, or sensor drivers might be scheduling work that accesses freed memory.

3. **Memory Corruption:** * The `CR2` address (`0x239514955000`) is unusual. It could be a sign of heap corruption or a stack overflow corrupting a pointer.

### **4. Recommended Debugging Steps**

1. **Check Full Kernel Log:** * Look for earlier warnings or errors from `snd_soc_sof`, `cros_ec`, or `workqueue` subsystems. * Search for `BUG: unable to handle kernel paging request`

If you want to get best quality of vulnerability data, you may have to visit VulDB.

حجز

27/02/2024

إفشاء

28/02/2024

الاعتدال

تمت الموافقة

إدخال

VDB-255008

EPSS

0.00232

KEV

لا

النشاطات

منخفض جدًا

المصادر

Interested in the pricing of exploits?

See the underground prices here!