7.1

CVE-2021-47288

media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()

In the Linux kernel, the following vulnerability has been resolved:

media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()

Fix an 11-year old bug in ngene_command_config_free_buf() while
addressing the following warnings caught with -Warray-bounds:

arch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]
arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]

The problem is that the original code is trying to copy 6 bytes of
data into a one-byte size member _config_ of the wrong structue
FW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a
legitimate compiler warning because memcpy() overruns the length
of &com.cmd.ConfigureBuffers.config. It seems that the right
structure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains
6 more members apart from the header _hdr_. Also, the name of
the function ngene_command_config_free_buf() suggests that the actual
intention is to ConfigureFreeBuffers, instead of ConfigureBuffers
(which takes place in the function ngene_command_config_buf(), above).

Fix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS
into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as
the destination address, instead of &com.cmd.ConfigureBuffers.config,
when calling memcpy().

This also helps with the ongoing efforts to globally enable
-Warray-bounds and get us closer to being able to tighten the
FORTIFY_SOURCE routines on memcpy().
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.34 < 4.4.277
LinuxLinux Kernel Version >= 4.5 < 4.9.277
LinuxLinux Kernel Version >= 4.10 < 4.14.241
LinuxLinux Kernel Version >= 4.15 < 4.19.199
LinuxLinux Kernel Version >= 4.20 < 5.4.136
LinuxLinux Kernel Version >= 5.5 < 5.10.54
LinuxLinux Kernel Version >= 5.11 < 5.13.6
LinuxLinux Kernel Version5.14 Updaterc1
LinuxLinux Kernel Version5.14 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.23% 0.14
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/4487b968e5eacd02c493303dc2b61150bb7fe4b2
Patch
https://git.kernel.org/stable/c/8d4abca95ecc82fc8c41912fa0085281f19cc29f
Patch
https://git.kernel.org/stable/c/b9a178f189bb6d75293573e181928735f5e3e070
Patch
https://git.kernel.org/stable/c/c6ddeb63dd543b5474b0217c4e47538b7ffd7686
Patch
https://git.kernel.org/stable/c/e617fa62f6cf859a7b042cdd6c73af905ff8fca3
Patch
https://git.kernel.org/stable/c/e818f2ff648581a6c553ae2bebc5dcef9a8bb90c
Patch
https://git.kernel.org/stable/c/e991457afdcb5f4dbc5bc9d79eaf775be33e7092
Patch
https://git.kernel.org/stable/c/ec731c6ef564ee6fc101fc5d73e3a3a953d09a00
Patch