CVE-2024-36477

tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer

The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the
maximum transfer length and the size of the transfer buffer. As such, it
does not account for the 4 bytes of header that prepends the SPI data
frame. This can result in out-of-bounds accesses and was confirmed with
KASAN.

Introduce SPI_HDRSIZE to account for the header and use to allocate the
transfer buffer.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tpm_tis_spi: Cuenta para el encabezado SPI al asignar el búfer de transferencia TPM SPI El mecanismo de transferencia TPM SPI utiliza MAX_SPI_FRAMESIZE para calcular la longitud máxima de transferencia y el tamaño del búfer de transferencia. Como tal, no tiene en cuenta los 4 bytes del encabezado que antepone el marco de datos SPI. Esto puede resultar en accesos fuera de los límites y fue confirmado con KASAN. Introduzca SPI_HDRSIZE para tener en cuenta el encabezado y utilícelo para asignar el búfer de transferencia.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-21 CVE Reserved
2024-06-21 CVE Published
2024-06-25 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/a86a42ac2bd652fdc7836a9d880c306a2485c142	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/1547183852dcdfcc25878db7dd3620509217b0cd	2024-06-12
https://git.kernel.org/stable/c/de13c56f99477b56980c7e00b09c776d16b7563d	2024-06-12
https://git.kernel.org/stable/c/195aba96b854dd664768f382cd1db375d8181f88	2024-05-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.6.33 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.33"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.9.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.9.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.10"		en		Affected