CVE CyberSecurity Database News

CVE-2021-47016 - Timer Interrupt Bug in Linux Kernel m68k (mvme147, mvme16x) – Explained and Exploited

Poster -

The Linux kernel is the heart of countless devices and systems. When bugs occur in its core, they can have surprising effects—like stalling a whole computer because a single timer stopped ticking. Here, we break down CVE-2021-47016, a bug found and fixed in the Linux kernel’s m68k architecture for MVME147 and MVME16x machines. This post explains what went wrong, includes code samples, shows how it can be exploited (in a controlled environment), and provides references for further reading.

What is CVE-2021-47016?

CVE-2021-47016 is a vulnerability in the Linux kernel, affecting the m68k (Motorola 68000 series) architecture, specifically the MVME147 and MVME16x VME single-board computers. Here’s a plain-English summary:

- When the kernel cleared the interrupt flag and counter overflow in the Programmable Chip Controller (PCC) timer, it also accidentally wiped out the timer’s configuration bits.
- As a result, after the very first timer interrupt, the hardware timer was left in an unusable state—no more timer interrupts would be delivered.
- This caused the kernel initialization to hang, specifically during the calibrate_delay function, since the system uses timer ticks (jiffies) to measure time for calibration. Since jiffies stopped updating, the kernel got stuck.

The result? The system just sat there, waiting forever.

Here's the problematic code that cleared too many bits

/* Incorrect: This clears the configuration bits as well */
PCC_T1CTL = ;

This code tried to clear out interrupt flags by setting the control register to zero, but inadvertently cleared out the bits that configured how the timer operated.

The Fix

Instead, the patch changed the code to only clear the specific bits needed—*without* touching the timer’s setup:

/* Correct: Only clear interrupt flag and overflow bits */
PCC_T1CTL &= ~(PCC_T1INT | PCC_T1OVF);

Now, only the relevant interrupt/overflow bits are changed, and the timer configuration is preserved.

Commit reference:
Patch: m68k: mvme147,mvme16x: Don't wipe PCC timer config bits

Michael, who reported the bug, wrote

> "This results in no timer interrupts being delivered after the first. Initialization then hangs in calibrate_delay as the jiffies counter is not updated."

Exploiting the Bug (Controlled Environment)

Since this isn't a remote exploit or something able to gain superuser access, it’s a *denial-of-service within the hardware*. But if you want to see it in action (maybe for hobbyist or research reasons), here’s how you *could* trigger it:

1. Setup

- Need: Linux running on m68k architecture, specifically MVME147 or MVME16x board (or emulator like QEMU).

3. Watch

- During boot, the kernel initialization will hang with messages around calibrate_delay or timekeeping, never completing.

- CVE-2021-47016 Details – NVD
- Linux Kernel Commit Fix
- Linux Kernel Source
- Linux m68k Architecture Documentation

Accidentally overwriting hardware configuration can take out essential components, like timers.

While this bug mainly affected old hardware, the lesson is timeless—especially for kernel and embedded programmers.


Summary:
CVE-2021-47016 shows us how a single careless register write can silently stop a crucial system timer, and in turn halt the whole system’s boot. If you run an m68k-based Linux system, make sure you’re running a patched kernel. For everyone else, remember: always be careful which bits you flip!


*More coverage and technical write-ups coming soon. Got questions? Leave a comment below or check our resource links above.*

Timeline

Published on: 02/29/2024 23:15:07 UTC
Last modified on: 01/09/2025 19:52:27 UTC