CVE-2021-47172 in Linuxinfo

Summary

by MITRE • 03/25/2024

In the Linux kernel, the following vulnerability has been resolved:

iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers

Channel numbering must start at 0 and then not have any holes, or it is possible to overflow the available storage. Note this bug was introduced as part of a fix to ensure we didn't rely on the ordering of child nodes. So we need to support arbitrary ordering but they all need to be there somewhere.

Note I hit this when using qemu to test the rest of this series. Arguably this isn't the best fix, but it is probably the most minimal option for backporting etc.

Alexandru's sign-off is here because he carried this patch in a larger set that Jonathan then applied.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 08/12/2025

The vulnerability identified as CVE-2021-47172 resides within the Linux kernel's industrial I/O (IIO) subsystem, specifically affecting the ad7124 analog-to-digital converter driver. This issue manifests as a potential integer overflow condition that occurs when channel numbering within the device configuration does not follow a sequential pattern starting from zero. The flaw represents a classic case of improper input validation and buffer management, where the driver assumes channels will be numbered sequentially from zero without gaps, leading to memory corruption when this assumption is violated.

The technical root cause stems from how the ad7124 driver processes channel configuration data from device tree nodes. When the kernel encounters device tree entries for ADC channels that do not follow the expected sequential numbering pattern beginning at zero, the driver's internal data structures can become corrupted. This occurs because the driver allocates storage based on the assumption of contiguous channel numbering, and when gaps exist in the numbering sequence, the driver may write beyond allocated memory boundaries. The vulnerability was introduced during a previous fix aimed at supporting arbitrary ordering of child nodes in device trees, which inadvertently created this overflow condition when channel numbers are not properly sequential.

This vulnerability has significant operational impact within embedded systems and industrial automation environments where the ad7124 ADC is commonly deployed. The potential overflow can lead to system instability, kernel panics, or even privilege escalation if exploited by malicious actors. The issue affects systems using the Linux kernel's IIO subsystem for data acquisition, particularly those employing the ad7124 ADC for sensor data collection. The vulnerability's impact is amplified in virtualized environments like QEMU where testing of kernel patches often occurs, as demonstrated by the developer's mention of hitting this issue during QEMU testing.

The mitigation strategy involves ensuring that channel numbering in device tree configurations for ad7124 devices follows a strict sequential pattern starting from zero without gaps. This aligns with CWE-129, which addresses improper validation of array indices, and CWE-191, which covers integer underflow and overflow conditions. From an ATT&CK perspective, this vulnerability could be leveraged in initial access or privilege escalation phases, particularly in industrial control systems where kernel-level exploits can provide extensive system compromise. The minimal fix approach recommended in the patch documentation reflects the need for backward compatibility while addressing the core overflow condition, though it may not fully resolve all potential edge cases in arbitrary device tree configurations. System administrators should verify device tree configurations to ensure proper sequential channel numbering and apply the kernel patch to prevent exploitation of this vulnerability.

Reservation

03/25/2024

Disclosure

03/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00225

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!