CVE-2021-47288

2024-05-2115:15:16

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

media

ngene

out-of-bounds

bug fix

security vulnerability

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.2%

JSON

In the Linux kernel, the following vulnerability has been resolved:

media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()

Fix an 11-year old bug in ngene_command_config_free_buf() while
addressing the following warnings caught with -Warray-bounds:

arch/alpha/include/asm/string.h:22:16: warning: ‘__builtin_memcpy’ offset [12, 16] from the object at ‘com’ is out of the bounds of referenced subobject ‘config’ with type ‘unsigned char’ at offset 10 [-Warray-bounds]
arch/x86/include/asm/string_32.h:182:25: warning: ‘__builtin_memcpy’ offset [12, 16] from the object at ‘com’ is out of the bounds of referenced subobject ‘config’ with type ‘unsigned char’ at offset 10 [-Warray-bounds]

The problem is that the original code is trying to copy 6 bytes of
data into a one-byte size member config of the wrong structue
FW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a
legitimate compiler warning because memcpy() overruns the length
of &com.cmd.ConfigureBuffers.config. It seems that the right
structure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains
6 more members apart from the header hdr. Also, the name of
the function ngene_command_config_free_buf() suggests that the actual
intention is to ConfigureFreeBuffers, instead of ConfigureBuffers
(which takes place in the function ngene_command_config_buf(), above).

Fix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS
into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as
the destination address, instead of &com.cmd.ConfigureBuffers.config,
when calling memcpy().

This also helps with the ongoing efforts to globally enable
-Warray-bounds and get us closer to being able to tighten the
FORTIFY_SOURCE routines on memcpy().

Affected configurations

Vulners

Node

linuxlinux_kernelRange2.6.34–4.4.277

linuxlinux_kernelRange4.5.0–4.9.277

linuxlinux_kernelRange4.10.0–4.14.241

linuxlinux_kernelRange4.15.0–4.19.199

linuxlinux_kernelRange4.20.0–5.4.136

linuxlinux_kernelRange5.5.0–5.10.54

linuxlinux_kernelRange5.11.0–5.13.6

linuxlinux_kernelRange5.14.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/media/pci/ngene/ngene-core.c",
      "drivers/media/pci/ngene/ngene.h"
    ],
    "versions": [
      {
        "version": "dae52d009fc9",
        "lessThan": "4487b968e5ea",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "dae52d009fc9",
        "lessThan": "c6ddeb63dd54",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "dae52d009fc9",
        "lessThan": "e818f2ff6485",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "dae52d009fc9",
        "lessThan": "ec731c6ef564",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "dae52d009fc9",
        "lessThan": "e617fa62f6cf",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "dae52d009fc9",
        "lessThan": "e991457afdcb",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "dae52d009fc9",
        "lessThan": "b9a178f189bb",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "dae52d009fc9",
        "lessThan": "8d4abca95ecc",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/media/pci/ngene/ngene-core.c",
      "drivers/media/pci/ngene/ngene.h"
    ],
    "versions": [
      {
        "version": "2.6.34",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.34",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.4.277",
        "lessThanOrEqual": "4.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.9.277",
        "lessThanOrEqual": "4.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.14.241",
        "lessThanOrEqual": "4.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.199",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.136",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.54",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.13.6",
        "lessThanOrEqual": "5.13.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.14",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]