CVE-2021-47288

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47288
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47288.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47288
Related
Published
2024-05-21T15:15:16Z
Modified
2024-09-11T04:41:06.659323Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

media: ngene: Fix out-of-bounds bug in ngenecommandconfigfreebuf()

Fix an 11-year old bug in ngenecommandconfigfreebuf() while addressing the following warnings caught with -Warray-bounds:

arch/alpha/include/asm/string.h:22:16: warning: 'builtinmemcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds] arch/x86/include/asm/string32.h:182:25: warning: 'builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]

The problem is that the original code is trying to copy 6 bytes of data into a one-byte size member config of the wrong structue FWCONFIGUREBUFFERS, in a single call to memcpy(). This causes a legitimate compiler warning because memcpy() overruns the length of &com.cmd.ConfigureBuffers.config. It seems that the right structure is FWCONFIGUREFREEBUFFERS, instead, because it contains 6 more members apart from the header _hdr. Also, the name of the function ngenecommandconfigfreebuf() suggests that the actual intention is to ConfigureFreeBuffers, instead of ConfigureBuffers (which takes place in the function ngenecommandconfig_buf(), above).

Fix this by enclosing those 6 members of struct FWCONFIGUREFREE_BUFFERS into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as the destination address, instead of &com.cmd.ConfigureBuffers.config, when calling memcpy().

This also helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy().

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.70-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.14.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}