CVE-2021-47043 in Linuxinfo

Summary

by MITRE • 02/28/2024

In the Linux kernel, the following vulnerability has been resolved:

media: venus: core: Fix some resource leaks in the error path of 'venus_probe()'

If an error occurs after a successful 'of_icc_get()' call, it must be undone.

Use 'devm_of_icc_get()' instead of 'of_icc_get()' to avoid the leak. Update the remove function accordingly and axe the now unneeded 'icc_put()' calls.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/09/2025

The vulnerability identified as CVE-2021-47043 represents a resource management flaw within the Linux kernel's venus media driver subsystem. This issue specifically affects the Venus hardware accelerator driver used for video decoding and encoding operations on Qualcomm platforms. The vulnerability manifests as improper handling of interconnect (icc) resources during driver initialization, creating a potential for resource leaks that could impact system stability and performance over time.

The technical flaw stems from the driver's error handling path in the venus_probe() function where the kernel performs a successful call to of_icc_get() to acquire interconnect bandwidth resources but fails to properly release these resources when subsequent initialization steps encounter errors. This pattern creates a resource leak where interconnect bandwidth requests remain active even though the driver initialization has failed, leading to potential resource exhaustion. The vulnerability is classified under CWE-404 as improper resource release or cleanup, specifically dealing with interconnect bandwidth management.

The operational impact of this vulnerability extends beyond simple resource consumption as it affects the reliability of the venus media driver and potentially impacts video processing capabilities on affected devices. When the driver fails to properly release interconnect resources, it can lead to gradual resource depletion that might cause system instability or prevent subsequent driver initialization attempts. This becomes particularly problematic in embedded systems or mobile devices where interconnect bandwidth is a limited resource that must be carefully managed. The issue affects devices running Linux kernels that include the venus driver, particularly those utilizing Qualcomm Snapdragon processors with Venus hardware accelerators for multimedia processing.

The fix implemented addresses this vulnerability by replacing the manual resource management pattern with the device managed variant of the interconnect API. By switching from of_icc_get() to devm_of_icc_get(), the kernel automatically handles resource cleanup during driver removal or when errors occur during initialization. This change eliminates the need for explicit icc_put() calls in the error paths and ensures proper resource management through the device model's automatic cleanup mechanisms. The solution aligns with the ATT&CK framework's resource exhaustion techniques by preventing improper resource handling that could lead to system instability. Additionally, the fix follows established kernel development practices for device managed resources, reducing the attack surface and improving overall driver robustness. This remediation approach ensures that interconnect bandwidth resources are properly released regardless of initialization success or failure, thereby preventing the accumulation of unused resources that could eventually impact system performance or stability.

Reservation

02/27/2024

Disclosure

02/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00239

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!