CVE-2021-47337 in Linuxinfo

Summary

by MITRE • 05/21/2024

In the Linux kernel, the following vulnerability has been resolved:

scsi: core: Fix bad pointer dereference when ehandler kthread is invalid

Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") changed the allocation logic to call put_device() to perform host cleanup with the assumption that IDA removal and stopping the kthread would properly be performed in scsi_host_dev_release(). However, in the unlikely case that the error handler thread fails to spawn, shost->ehandler is set to ERR_PTR(-ENOMEM).

The error handler cleanup code in scsi_host_dev_release() will call kthread_stop() if shost->ehandler != NULL which will always be the case whether the kthread was successfully spawned or not. In the case that it failed to spawn this has the nasty side effect of trying to dereference an invalid pointer when kthread_stop() is called. The following splat provides an example of this behavior in the wild:

scsi host11: error handler thread failed to spawn, error = -4 Kernel attempted to read user page (10c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x0000010c Faulting instruction address: 0xc00000000818e9a8 Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region hash dm_log dm_mod fuse overlay squashfs loop CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8 REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28228228 XER: 20040001 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000 GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc NIP [c00000000818e9a8] kthread_stop+0x38/0x230
LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160
Call Trace: [c000000033bb2c48] 0xc000000033bb2c48 (unreliable)
[c0000000089846e8] scsi_host_dev_release+0x98/0x160
[c00000000891e960] device_release+0x60/0x100
[c0000000087e55c4] kobject_release+0x84/0x210
[c00000000891ec78] put_device+0x28/0x40
[c000000008984ea4] scsi_host_alloc+0x314/0x430
[c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]
[c000000008110104] vio_bus_probe+0xa4/0x4b0
[c00000000892a860] really_probe+0x140/0x680
[c00000000892aefc] driver_probe_device+0x15c/0x200
[c00000000892b63c] device_driver_attach+0xcc/0xe0
[c00000000892b740] __driver_attach+0xf0/0x200
[c000000008926f28] bus_for_each_dev+0xa8/0x130
[c000000008929ce4] driver_attach+0x34/0x50
[c000000008928fc0] bus_add_driver+0x1b0/0x300
[c00000000892c798] driver_register+0x98/0x1a0
[c00000000810eb60] __vio_register_driver+0x80/0xe0
[c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]
[c0000000080121d0] do_one_initcall+0x60/0x2d0
[c000000008261abc] do_init_module+0x7c/0x320
[c000000008265700] load_module+0x2350/0x25b0
[c000000008265cb4] __do_sys_finit_module+0xd4/0x160
[c000000008031110] system_call_exception+0x150/0x2d0
[c00000000800d35c] system_call_common+0xec/0x278

Fix this be nulling shost->ehandler when the kthread fails to spawn.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 08/06/2025

The vulnerability described in CVE-2021-47337 represents a critical kernel NULL pointer dereference issue within the Linux SCSI subsystem that arises during error handling operations. This flaw occurs in the scsi core module when the error handler kernel thread fails to spawn properly during host allocation. The root cause stems from an improper handling of the error condition where the system sets shost->ehandler to ERR_PTR(-ENOMEM) when thread creation fails, but the cleanup logic in scsi_host_dev_release() continues to attempt kthread_stop() operations on this invalid pointer regardless of whether the thread was successfully created or not. This inconsistency creates a dangerous scenario where kernel memory access violations can occur, potentially leading to system crashes or privilege escalation opportunities.

The technical implementation of this vulnerability demonstrates a classic improper error handling pattern that violates fundamental kernel safety principles. When the SCSI host allocation process encounters an error during kthread creation, the code path sets the error handler pointer to an error value rather than properly nullifying it. The subsequent cleanup routine fails to distinguish between a valid thread pointer and an error indicator, leading to direct dereference of the ERR_PTR value through kthread_stop() function calls. This behavior constitutes a CWE-476: NULL Pointer Dereference vulnerability, specifically manifesting as a kernel-level NULL pointer dereference that occurs at address 0x0000010c, as evidenced by the kernel oops dump showing the faulting instruction at kthread_stop+0x38/0x230.

The operational impact of this vulnerability extends beyond simple system instability to potential security implications within kernel environments. The kernel access violation described in the crash dump indicates that an attacker could potentially exploit this condition to cause system panics or, more critically, to execute arbitrary code with kernel privileges. The vulnerability affects systems using the SCSI subsystem, particularly those employing the ibmvscsi driver on PowerPC platforms as demonstrated by the stack trace showing the ibmvscsi_probe function invocation. The attack surface is broadened by the fact that this occurs during normal device probe operations, making it potentially exploitable during system boot or device initialization phases. The ATT&CK framework would categorize this under privilege escalation techniques, specifically leveraging kernel vulnerabilities to gain elevated system access.

The fix implemented addresses this vulnerability by ensuring proper nullification of the shost->ehandler pointer when kthread spawning fails. This modification prevents the subsequent cleanup code from attempting to stop a non-existent thread and dereference the error pointer. The solution follows established kernel development practices for error handling, ensuring that error conditions are properly sanitized before being passed to cleanup routines. This approach aligns with the principle of defensive programming and prevents the cascading failure that occurs when error indicators are not properly distinguished from valid pointers. The resolution effectively eliminates the kernel NULL pointer dereference by ensuring that kthread_stop() is only called on valid thread pointers, thereby preventing the system crash condition that could potentially be exploited by malicious actors to compromise kernel integrity and system security.

Reservation

05/21/2024

Disclosure

05/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00240

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!