CVE-2021-47288
media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
Fix an 11-year old bug in ngene_command_config_free_buf() while
addressing the following warnings caught with -Warray-bounds:
arch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]
arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]
The problem is that the original code is trying to copy 6 bytes of
data into a one-byte size member _config_ of the wrong structue
FW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a
legitimate compiler warning because memcpy() overruns the length
of &com.cmd.ConfigureBuffers.config. It seems that the right
structure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains
6 more members apart from the header _hdr_. Also, the name of
the function ngene_command_config_free_buf() suggests that the actual
intention is to ConfigureFreeBuffers, instead of ConfigureBuffers
(which takes place in the function ngene_command_config_buf(), above).
Fix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS
into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as
the destination address, instead of &com.cmd.ConfigureBuffers.config,
when calling memcpy().
This also helps with the ongoing efforts to globally enable
-Warray-bounds and get us closer to being able to tighten the
FORTIFY_SOURCE routines on memcpy().
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medios: ngene: corrige un error fuera de los límites en ngene_command_config_free_buf(). Corrige un error de hace 11 años en ngene_command_config_free_buf() mientras se solucionan las siguientes advertencias detectadas con -Warray-bounds: arch/alpha/include/asm/string.h:22:16: advertencia: el desplazamiento '__builtin_memcpy' [12, 16] del objeto en 'com' está fuera de los límites del subobjeto referenciado 'config' con tipo 'carácter sin firmar ' en el desplazamiento 10 [-Warray-bounds] arch/x86/include/asm/string_32.h:182:25: advertencia: el desplazamiento '__builtin_memcpy' [12, 16] del objeto en 'com' está fuera de los límites de subobjeto referenciado 'config' con tipo 'unsigned char' en el desplazamiento 10 [-Warray-bounds] El problema es que el código original está intentando copiar 6 bytes de datos en un miembro de tamaño de un byte _config_ de la estructura incorrecta FW_CONFIGURE_BUFFERS, en una sola llamada a memcpy(). Esto provoca una advertencia legítima del compilador porque memcpy() sobrepasa la longitud de &com.cmd.ConfigureBuffers.config. Parece que la estructura correcta es FW_CONFIGURE_FREE_BUFFERS, porque contiene 6 miembros más además del encabezado _hdr_. Además, el nombre de la función ngene_command_config_free_buf() sugiere que la intención real es ConfigureFreeBuffers, en lugar de ConfigureBuffers (que tiene lugar en la función ngene_command_config_buf(), arriba). Solucione este problema encerrando esos 6 miembros de la estructura FW_CONFIGURE_FREE_BUFFERS en una nueva configuración de estructura y use &com.cmd.ConfigureFreeBuffers.config como dirección de destino, en lugar de &com.cmd.ConfigureBuffers.config, al llamar a memcpy(). Esto también ayuda con los esfuerzos continuos para habilitar globalmente -Warray-bounds y acercarnos a poder ajustar las rutinas FORTIFY_SOURCE en memcpy().
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-21 CVE Reserved
- 2024-05-21 CVE Published
- 2024-12-19 CVE Updated
- 2024-12-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/dae52d009fc950b5c209260d50fcc000f5becd3c | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.34 < 4.4.277 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 4.4.277" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.34 < 4.9.277 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 4.9.277" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.34 < 4.14.241 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 4.14.241" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.34 < 4.19.199 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 4.19.199" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.34 < 5.4.136 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.4.136" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.34 < 5.10.54 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.10.54" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.34 < 5.13.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.13.6" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 2.6.34 < 5.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.14" | en |
Affected
|