Bug 2347725 (CVE-2021-47652) - CVE-2021-47652 kernel: video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
Summary: CVE-2021-47652 kernel: video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_p...
Keywords:
Status: NEW
Alias: CVE-2021-47652
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-26 03:04 UTC by OSIDB Bzimport
Modified: 2025-02-26 15:46 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-26 03:04:34 UTC 
In the Linux kernel, the following vulnerability has been resolved:

video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()

I got a null-ptr-deref report:

BUG: kernel NULL pointer dereference, address: 0000000000000000
...
RIP: 0010:fb_destroy_modelist+0x38/0x100
...
Call Trace:
 ufx_usb_probe.cold+0x2b5/0xac1 [smscufx]
 usb_probe_interface+0x1aa/0x3c0 [usbcore]
 really_probe+0x167/0x460
...
 ret_from_fork+0x1f/0x30

If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will
be called to destroy modelist in the error handling path. But modelist
has not been initialized yet, so it will result in null-ptr-deref.

Initialize modelist before calling fb_alloc_cmap() to fix this bug.
Comment 1 Avinash Hanwate 2025-02-26 11:06:41 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022649-CVE-2021-47652-65fa@gregkh/T
Comment 2 Avinash Hanwate 2025-02-26 15:36:16 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022649-CVE-2021-47652-65fa@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.