CVE-2021-47527 in Linux
Summary
by MITRE • 05/24/2024
In the Linux kernel, the following vulnerability has been resolved:
serial: core: fix transmit-buffer reset and memleak
Commit 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") converted serial core to use tty_port_close() but failed to notice that the transmit buffer still needs to be freed on final close.
Not freeing the transmit buffer means that the buffer is no longer cleared on next open so that any ioctl() waiting for the buffer to drain might wait indefinitely (e.g. on termios changes) or that stale data can end up being transmitted in case tx is restarted.
Furthermore, the buffer of any port that has been opened would leak on driver unbind.
Note that the port lock is held when clearing the buffer pointer due to the ldisc race worked around by commit a5ba1d95e46e ("uart: fix race between uart_put_char() and uart_shutdown()").
Also note that the tty-port shutdown() callback is not called for console ports so it is not strictly necessary to free the buffer page after releasing the lock (cf. d72402145ace ("tty/serial: do not free trasnmit buffer page under port lock")).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/25/2025
The vulnerability described in CVE-2021-47527 represents a critical memory management flaw within the Linux kernel's serial communication subsystem, specifically affecting the serial core driver implementation. This issue stems from an incomplete code conversion that occurred during the transition from traditional serial port handling to the newer tty_port_close() framework. The problem manifests when serial ports are closed and reopened, creating persistent memory leaks and potential data corruption scenarios that can severely impact system stability and security.
The technical root cause lies in the failure to properly handle transmit buffer cleanup during the final closure of serial ports. When the kernel's serial core was modified to utilize tty_port_close() in commit 761ed4a94582, developers overlooked the necessity of explicitly freeing the transmit buffer memory. This oversight creates two distinct operational problems that compound the vulnerability. First, when a serial port is closed but the transmit buffer remains allocated, subsequent opens of that same port cannot properly clear the buffer state, leading to indefinite waiting periods for buffer drain operations during ioctl() calls. Second, the stale data that accumulates in these uncleared buffers can be transmitted during subsequent port usage, creating potential data leakage or corruption scenarios that violate the principle of least privilege and data integrity.
The memory leak aspect of this vulnerability becomes particularly problematic during driver unbinding operations, where any port that has been opened during the driver's lifetime will retain its transmit buffer memory allocation indefinitely. This creates a persistent resource consumption issue that can lead to system performance degradation and potentially contribute to denial of service conditions. The vulnerability is further complicated by the locking mechanisms within the serial core, as the port lock must be held during buffer pointer clearing operations to address race conditions with the line discipline framework. This locking requirement, established by commit a5ba1d95e46e, creates a complex dependency where buffer cleanup cannot occur until after the lock is released, potentially leaving memory in an inconsistent state during the transition period.
The operational impact of this vulnerability extends beyond simple memory consumption issues to affect system reliability and security posture. When ioctl() operations wait indefinitely for buffer drain completion, they can cause system hangs or unresponsive behavior during terminal configuration changes, which represents a direct threat to system availability. Additionally, the transmission of stale data from uncleared buffers can lead to information disclosure or data corruption, particularly in environments where serial communication carries sensitive information or controls critical systems. The vulnerability's classification aligns with CWE-401 (Improper Release of Memory Before Removing Last Reference) and demonstrates characteristics consistent with ATT&CK technique T1059.007 (Command and Scripting Interpreter: PowerShell) through potential exploitation of system stability issues that could facilitate further attacks. The fact that console ports are exempt from the buffer page freeing process due to their special handling in the tty-port shutdown callback adds another layer of complexity to the vulnerability's exploitation and mitigation considerations, as it means the memory leak affects only non-console serial ports while potentially leaving console port operations unaffected.