CVE-2021-47475

comedi: vmk80xx: fix transfer-buffer overflows

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

comedi: vmk80xx: fix transfer-buffer overflows

The driver uses endpoint-sized USB transfer buffers but up until
recently had no sanity checks on the sizes.

Commit e1f13c879a7c ("staging: comedi: check validity of wMaxPacketSize
of usb endpoints found") inadvertently fixed NULL-pointer dereferences
when accessing the transfer buffers in case a malicious device has a
zero wMaxPacketSize.

Make sure to allocate buffers large enough to handle also the other
accesses that are done without a size check (e.g. byte 18 in
vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond
the buffers, for example, when doing descriptor fuzzing.

The original driver was for a low-speed device with 8-byte buffers.
Support was later added for a device that uses bulk transfers and is
presumably a full-speed device with a maximum 64-byte wMaxPacketSize.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: vmk80xx: corrige desbordamientos del búfer de transferencia El controlador utiliza búferes de transferencia USB del tamaño de un terminal, pero hasta hace poco no tenía controles de cordura sobre los tamaños. el commit e1f13c879a7c ("staging: comedi: verificar la validez de wMaxPacketSize de los endpoints USB encontrados") corrigió inadvertidamente las desreferencias de puntero NULL al acceder a los buffers de transferencia en caso de que un dispositivo malicioso tenga un wMaxPacketSize cero. Asegúrese de asignar buffers lo suficientemente grandes para manejar también los otros accesos que se realizan sin una verificación de tamaño (por ejemplo, el byte 18 en vmk80xx_cnt_insn_read() para VMK8061_MODEL) para evitar escribir más allá de los buffers, por ejemplo, cuando se realiza una confusión de descriptores. El controlador original era para un dispositivo de baja velocidad con buffers de 8 bytes. Posteriormente se agregó soporte para un dispositivo que utiliza transferencias masivas y presumiblemente es un dispositivo de velocidad completa con un wMaxPacketSize máximo de 64 bytes.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-22 CVE Reserved
2024-05-22 CVE Published
2024-05-23 EPSS Updated
2024-11-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/985cafccbf9b7f862aa1c5ee566801e18b5161fb	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f	2021-11-12
https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba	2021-11-12
https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7	2021-11-12
https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088	2021-11-12
https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9	2021-11-12
https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00	2021-11-12
https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a48c7d47	2021-11-12
https://git.kernel.org/stable/c/06ac746d57e6d32b062e220415c607b7e2e0fa50	2021-11-12
https://git.kernel.org/stable/c/a23461c47482fc232ffc9b819539d1f837adf2b1	2021-10-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 4.4.292 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 4.4.292"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 4.9.290 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 4.9.290"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 4.14.255 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 4.14.255"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 4.19.217 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 4.19.217"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.4.159 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.4.159"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.10.79 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.10.79"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.14.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.14.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.15.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.15.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.16"		en		Affected