CVE-2021-47500 in Linuxinfo

Summary

by MITRE • 05/24/2024

In the Linux kernel, the following vulnerability has been resolved:

iio: mma8452: Fix trigger reference couting

The mma8452 driver directly assigns a trigger to the struct iio_dev. The IIO core when done using this trigger will call `iio_trigger_put()` to drop the reference count by 1.

Without the matching `iio_trigger_get()` in the driver the reference count can reach 0 too early, the trigger gets freed while still in use and a use-after-free occurs.

Fix this by getting a reference to the trigger before assigning it to the IIO device.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/13/2025

The vulnerability CVE-2021-47500 resides within the Linux kernel's industrial I/O (IIO) subsystem, specifically affecting the mma8452 driver that manages accelerometer sensors. This flaw represents a classic use-after-free condition that can lead to system instability and potential security exploitation. The mma8452 driver is responsible for interfacing with a specific class of motion sensors commonly found in mobile devices and embedded systems, making this vulnerability particularly concerning for mobile and IoT environments where such sensors are prevalent. The issue stems from improper reference counting mechanisms within the driver's trigger management implementation.

The technical root cause involves the improper handling of reference counting for IIO triggers within the driver's initialization and cleanup processes. When the mma8452 driver assigns a trigger to the iio_dev structure, it fails to increment the reference count using the standard iio_trigger_get() function before making the assignment. This omission creates a race condition where the IIO core's trigger management system can prematurely call iio_trigger_put() to decrement the reference count, potentially reducing it to zero even though the driver is still actively using the trigger. The subsequent freeing of the trigger object while references still exist creates a use-after-free vulnerability that can be exploited by malicious actors to execute arbitrary code or cause system crashes.

This vulnerability directly maps to CWE-416, which describes the use of freed memory condition, and can be categorized under ATT&CK technique T1059 for command and scripting interpreter usage, as exploitation could lead to privilege escalation. The operational impact extends beyond simple system instability to potentially enable remote code execution in scenarios where the affected system is exposed to untrusted inputs. The trigger mechanism in IIO subsystems is critical for timestamping events and managing sensor data acquisition timing, making this vulnerability particularly dangerous in real-time systems where precise timing and data integrity are essential.

The fix implemented addresses the core issue by ensuring proper reference counting through the addition of iio_trigger_get() calls before assigning triggers to IIO devices. This simple but critical modification ensures that the reference count accurately reflects the actual usage of the trigger object, preventing premature deallocation. The solution aligns with standard kernel development practices for managing object lifetimes and reference counting in concurrent systems. System administrators should prioritize patching affected kernels, particularly those running on embedded devices, mobile platforms, and IoT systems where the mma8452 sensor driver is actively utilized. The vulnerability demonstrates the importance of proper resource management in kernel space and highlights the need for rigorous code review processes to prevent similar issues in other driver implementations within the IIO subsystem.

Reservation

05/22/2024

Disclosure

05/24/2024

Moderation

accepted

CPE

ready

EPSS

0.00242

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!