CVE-2021-47172

iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers

Channel numbering must start at 0 and then not have any holes, or
it is possible to overflow the available storage. Note this bug was
introduced as part of a fix to ensure we didn't rely on the ordering
of child nodes. So we need to support arbitrary ordering but they all
need to be there somewhere.

Note I hit this when using qemu to test the rest of this series.
Arguably this isn't the best fix, but it is probably the most minimal
option for backporting etc.

Alexandru's sign-off is here because he carried this patch in a larger
set that Jonathan then applied.

En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: iio: adc: ad7124: Se corrige posible desbordamiento por números de canales no secuenciales. La numeración de canales debe comenzar en 0 y luego no tener huecos, o es posible que se desborde el almacenamiento disponible. Tenga en cuenta que este error se introdujo como parte de una solución para garantizar que no dependiéramos del orden de los nodos secundarios. Por lo tanto, debemos apoyar el ordenamiento arbitrario, pero todos deben estar ahí en alguna parte. Tenga en cuenta que presioné esto cuando uso qemu para probar el resto de esta serie. Podría decirse que esta no es la mejor solución, pero probablemente sea la opción más mínima para realizar backporting, etc. La aprobación de Alexandru está aquí porque llevó este parche en un conjunto más grande que luego aplicó Jonathan.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-25 CVE Reserved
2024-03-25 CVE Published
2024-03-26 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/5408cbc6337300d6f1a87c797273c535ed96305a	Vuln. Introduced
https://git.kernel.org/stable/c/d7857e4ee1ba69732b16c73b2f2dde83ecd78ee4	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f49149964d2423fb618fb6b755bb1eaa431cca2c	2021-06-03
https://git.kernel.org/stable/c/f70122825076117787b91e7f219e21c09f11a5b9	2021-06-03
https://git.kernel.org/stable/c/26da8040eccc6c6b0e415e9a3baf72fd39eb2fdc	2021-06-03
https://git.kernel.org/stable/c/f2a772c51206b0c3f262e4f6a3812c89a650191b	2021-05-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.14 < 5.4.124 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.14 < 5.4.124"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.10.42 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.42"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.12.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.12.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.13"		en		Affected