CVE-2021-47503 in Linuxinfo

Summary

by MITRE • 05/24/2024

In the Linux kernel, the following vulnerability has been resolved:

scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()

Calling scsi_remove_host() before scsi_add_host() results in a crash:

BUG: kernel NULL pointer dereference, address: 0000000000000108 RIP: 0010:device_del+0x63/0x440 Call Trace: device_unregister+0x17/0x60 scsi_remove_host+0xee/0x2a0 pm8001_pci_probe+0x6ef/0x1b90 [pm80xx]
local_pci_probe+0x3f/0x90

We cannot call scsi_remove_host() in pm8001_alloc() because scsi_add_host() has not been called yet at that point in time.

Function call tree:

pm8001_pci_probe() | `- pm8001_pci_alloc() | | | `- pm8001_alloc() | | | `- scsi_remove_host() | `- scsi_add_host()

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/10/2025

This vulnerability exists in the Linux kernel's SCSI subsystem within the pm80xx driver family, specifically affecting the pm8001 controller implementation. The flaw represents a classic timing issue in device initialization where destructive function calls occur before proper resource allocation has completed. The vulnerability manifests when the driver attempts to remove a SCSI host adapter during its allocation phase, before the host has been successfully registered with the SCSI subsystem. This improper sequence leads to a kernel NULL pointer dereference at address 0x0000000000000108, causing an immediate system crash and potential data loss. The error occurs in the device_del function which is part of the kernel's device management subsystem, specifically when attempting to unregister a device that was never properly initialized. The call trace demonstrates the problematic execution flow where pm8001_pci_probe() calls pm8001_pci_alloc(), which in turn invokes pm8001_alloc(), and finally attempts to execute scsi_remove_host() before scsi_add_host() has been called. This violates fundamental kernel programming principles and creates a critical stability issue that affects storage controller drivers in enterprise and data center environments. The vulnerability directly corresponds to CWE-476 NULL Pointer Dereference, which is classified as a high-severity weakness in the Common Weakness Enumeration catalog, representing a significant risk to system availability and reliability. According to MITRE ATT&CK framework, this vulnerability could be exploited during system boot or device enumeration phases, potentially enabling denial-of-service attacks against critical infrastructure. The flaw demonstrates poor error handling and resource management practices, where the driver fails to properly sequence its initialization functions, leading to an inconsistent state in the kernel's device management layer. The impact extends beyond simple system crashes as it affects the entire SCSI subsystem's ability to manage storage controllers reliably, potentially causing data corruption or complete system failures in production environments. Organizations relying on SCSI storage solutions with pm80xx controllers face significant risk of unplanned downtime and service disruption. The vulnerability highlights the importance of proper function call ordering and resource lifecycle management in kernel space programming, particularly when dealing with complex subsystems like SCSI that require precise initialization sequences. This issue underscores the critical need for thorough testing of device driver initialization paths and proper validation of function call dependencies. The fix requires ensuring that scsi_remove_host() is only called after successful completion of scsi_add_host() and proper device registration, preventing the premature removal of uninitialized resources. This vulnerability serves as a reminder of the critical importance of maintaining proper kernel stability and the potential for seemingly minor initialization errors to cause catastrophic system failures in enterprise storage environments.

The technical flaw stems from improper resource management within the driver's initialization sequence, where the kernel attempts to clean up resources that have not yet been properly allocated. The vulnerability occurs because the pm8001_alloc() function contains a call to scsi_remove_host() before the corresponding scsi_add_host() has been executed, creating a situation where the kernel attempts to operate on a NULL device structure. This type of error is particularly dangerous in kernel space because it bypasses normal memory protection mechanisms and can cause immediate system panics. The kernel's device management subsystem relies on strict ordering of operations to maintain internal data structure consistency, and this violation creates a race condition that can lead to memory corruption. The specific memory address 0x0000000000000108 represents a critical offset within the device structure where the kernel attempts to access a field that has not yet been properly initialized, resulting in the NULL pointer dereference. The device_del function, which is part of the kernel's core device management infrastructure, fails when it tries to process a device that does not yet exist in the kernel's device tree. This error condition represents a fundamental violation of kernel design principles and can be exploited by malicious actors to cause system instability. The vulnerability affects all systems using the pm80xx SCSI controller drivers, particularly those in enterprise storage environments where reliability is paramount. The fix requires careful reordering of initialization functions to ensure proper resource lifecycle management, where device cleanup only occurs after successful device registration and initialization. This type of vulnerability is particularly challenging to detect because it occurs in kernel space and requires deep understanding of the driver's internal state management. The issue demonstrates the critical importance of proper error handling and defensive programming practices in kernel development, where even minor initialization errors can have catastrophic consequences for system stability and availability.

Reservation

05/22/2024

Disclosure

05/24/2024

Moderation

accepted

CPE

ready

EPSS

0.00248

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!