CVE-2021-47288

media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()

Fix an 11-year old bug in ngene_command_config_free_buf() while
addressing the following warnings caught with -Warray-bounds:

arch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]
arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]

The problem is that the original code is trying to copy 6 bytes of
data into a one-byte size member _config_ of the wrong structue
FW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a
legitimate compiler warning because memcpy() overruns the length
of &com.cmd.ConfigureBuffers.config. It seems that the right
structure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains
6 more members apart from the header _hdr_. Also, the name of
the function ngene_command_config_free_buf() suggests that the actual
intention is to ConfigureFreeBuffers, instead of ConfigureBuffers
(which takes place in the function ngene_command_config_buf(), above).

Fix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS
into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as
the destination address, instead of &com.cmd.ConfigureBuffers.config,
when calling memcpy().

This also helps with the ongoing efforts to globally enable
-Warray-bounds and get us closer to being able to tighten the
FORTIFY_SOURCE routines on memcpy().

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medios: ngene: corrige un error fuera de los límites en ngene_command_config_free_buf(). Corrige un error de hace 11 años en ngene_command_config_free_buf() mientras se solucionan las siguientes advertencias detectadas con -Warray-bounds: arch/alpha/include/asm/string.h:22:16: advertencia: el desplazamiento '__builtin_memcpy' [12, 16] del objeto en 'com' está fuera de los límites del subobjeto referenciado 'config' con tipo 'carácter sin firmar ' en el desplazamiento 10 [-Warray-bounds] arch/x86/include/asm/string_32.h:182:25: advertencia: el desplazamiento '__builtin_memcpy' [12, 16] del objeto en 'com' está fuera de los límites de subobjeto referenciado 'config' con tipo 'unsigned char' en el desplazamiento 10 [-Warray-bounds] El problema es que el código original está intentando copiar 6 bytes de datos en un miembro de tamaño de un byte _config_ de la estructura incorrecta FW_CONFIGURE_BUFFERS, en una sola llamada a memcpy(). Esto provoca una advertencia legítima del compilador porque memcpy() sobrepasa la longitud de &com.cmd.ConfigureBuffers.config. Parece que la estructura correcta es FW_CONFIGURE_FREE_BUFFERS, porque contiene 6 miembros más además del encabezado _hdr_. Además, el nombre de la función ngene_command_config_free_buf() sugiere que la intención real es ConfigureFreeBuffers, en lugar de ConfigureBuffers (que tiene lugar en la función ngene_command_config_buf(), arriba). Solucione este problema encerrando esos 6 miembros de la estructura FW_CONFIGURE_FREE_BUFFERS en una nueva configuración de estructura y use &com.cmd.ConfigureFreeBuffers.config como dirección de destino, en lugar de &com.cmd.ConfigureBuffers.config, al llamar a memcpy(). Esto también ayuda con los esfuerzos continuos para habilitar globalmente -Warray-bounds y acercarnos a poder ajustar las rutinas FORTIFY_SOURCE en memcpy().

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-05-22 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/dae52d009fc950b5c209260d50fcc000f5becd3c	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4487b968e5eacd02c493303dc2b61150bb7fe4b2	2021-07-28
https://git.kernel.org/stable/c/c6ddeb63dd543b5474b0217c4e47538b7ffd7686	2021-07-28
https://git.kernel.org/stable/c/e818f2ff648581a6c553ae2bebc5dcef9a8bb90c	2021-07-28
https://git.kernel.org/stable/c/ec731c6ef564ee6fc101fc5d73e3a3a953d09a00	2021-07-28
https://git.kernel.org/stable/c/e617fa62f6cf859a7b042cdd6c73af905ff8fca3	2021-07-28
https://git.kernel.org/stable/c/e991457afdcb5f4dbc5bc9d79eaf775be33e7092	2021-07-28
https://git.kernel.org/stable/c/b9a178f189bb6d75293573e181928735f5e3e070	2021-07-28
https://git.kernel.org/stable/c/8d4abca95ecc82fc8c41912fa0085281f19cc29f	2021-07-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 4.4.277 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 4.4.277"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 4.9.277 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 4.9.277"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 4.14.241 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 4.14.241"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 4.19.199 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 4.19.199"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 5.4.136 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.4.136"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 5.10.54 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.10.54"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 5.13.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.13.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.34 < 5.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.34 < 5.14"		en		Affected