CVE-2021-46904 in Linuxinfo

Summary

by MITRE • 02/26/2024

In the Linux kernel, the following vulnerability has been resolved:

net: hso: fix null-ptr-deref during tty device unregistration

Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref.

The get_free_serial_index() function returns an available minor number but doesn't assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number.

Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/12/2025

The vulnerability described in CVE-2021-46904 represents a critical null pointer dereference issue within the Linux kernel's hso (High Speed Onboard) network driver subsystem. This flaw manifests during the process of tty device unregistration, specifically when multiple terminal line disciplines attempt to claim identical minor numbers for serial device management. The underlying problem stems from improper resource management and synchronization mechanisms within the serial device allocation logic, creating a scenario where device cleanup operations can fail catastrophically.

The technical root cause lies in the get_free_serial_index() function which identifies available minor numbers but fails to immediately assign them to the requesting device. This delay creates a race condition where multiple concurrent requests can receive the same minor number identifier before the assignment is completed. When the first unregistration occurs successfully, subsequent attempts to unregister the same device result in a null pointer dereference because the internal data structures have already been partially or completely released. This behavior directly violates the principle of proper resource lifecycle management and demonstrates a classic example of improper state handling in kernel space operations.

The operational impact of this vulnerability extends beyond simple system stability concerns to potentially enable privilege escalation or denial of service conditions within embedded systems and network infrastructure devices that rely on the hso driver for high-speed serial communication. Attackers could exploit this flaw by creating multiple concurrent tty device registration attempts, triggering the double unregistration scenario that leads to kernel panic or memory corruption. The vulnerability particularly affects systems using the hso driver for USB serial communication, including various mobile broadband devices and embedded networking equipment where kernel memory integrity is paramount for system reliability and security.

The fix implemented addresses this vulnerability by fundamentally restructuring the minor number management approach through renaming get_free_serial_index() to obtain_minor() and set_serial_by_index() to release_minor(). This change ensures that minor number assignment occurs immediately upon identification, preventing the race condition that led to the null pointer dereference. The new implementation enforces a strict one-to-one correspondence between obtain_minor() and release_minor() calls, creating a clear and predictable resource management pattern that aligns with established kernel development practices and security best practices. This solution directly addresses CWE-476, which covers null pointer dereference vulnerabilities, and provides a robust mechanism for managing serial device resources in accordance with the ATT&CK framework's system binary exploitation techniques.

The remediation approach demonstrates proper kernel development methodology by ensuring atomic resource allocation and deallocation operations. The renaming convention clearly communicates the intended functionality and establishes a maintainable codebase that prevents similar issues from occurring in future modifications. This fix aligns with the Linux kernel's security hardening initiatives and represents a defensive programming approach that reduces attack surface while maintaining backward compatibility. The solution effectively eliminates the conditions that allowed malicious or erroneous input to trigger kernel memory corruption, thereby protecting against potential exploitation scenarios that could compromise system integrity or availability in embedded and mobile network environments where the hso driver is commonly deployed.

Reservation

02/25/2024

Disclosure

02/26/2024

Moderation

accepted

CPE

ready

EPSS

0.00256

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!