CVE-2021-46943

media: staging/intel-ipu3: Fix set_fmt error handling

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

media: staging/intel-ipu3: Fix set_fmt error handling

If there in an error during a set_fmt, do not overwrite the previous
sizes with the invalid config.

Without this patch, v4l2-compliance ends up allocating 4GiB of RAM and
causing the following OOPs

[ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes)
[ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0
[ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medios: staging/intel-ipu3: Corrija el manejo de errores set_fmt Si ocurre un error durante un set_fmt, no sobrescriba los tamaños anteriores con la configuración no válida. Sin este parche, el cumplimiento de v4l2 termina asignando 4 GiB de RAM y provocando los siguientes OOP [38.662975] ipu3-imgu 0000:00:05.0: el búfer swiotlb está lleno (sz: 4096 bytes) [38.662980] DMA: Fuera de SW-IOMMU espacio para 4096 bytes en el dispositivo 0000:00:05.0 [38.663010] falla de protección general: 0000 [#1] PREEMPT SMP

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-02-27 CVE Published
2024-04-21 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-131: Incorrect Calculation of Buffer Size

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/6d5f26f2e045f2377b524516194657c00efbbce8	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/a03fb1e8a110658215a4cefc3e2ad53279e496a6	2021-05-11
https://git.kernel.org/stable/c/c6b81b897f6f9445d57f8d47c4e060ec21556137	2021-05-11
https://git.kernel.org/stable/c/34892ea938387d83ffcfb7775ec55f0f80767916	2021-05-12
https://git.kernel.org/stable/c/6fb617e37a39db0a3eca4489431359d0bdf3b9bc	2021-05-12
https://git.kernel.org/stable/c/ad91849996f9dd79741a961fd03585a683b08356	2021-04-06

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.2 < 5.4.118 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.2 < 5.4.118"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.2 < 5.10.36 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.2 < 5.10.36"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.2 < 5.11.20 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.2 < 5.11.20"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.2 < 5.12.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.2 < 5.12.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.2 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.2 < 5.13"		en		Affected