CVE-2021-47159 net: dsa: fix a crash if ->get_sset_count() fails

2024-03-2509:16:13

Linux

www.cve.org

linux kernel

vulnerability

dsa

crash

get_sset_count()

ops

error code

type promotion

memory corruption

system crash

fix

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: fix a crash if ->get_sset_count() fails

If ds->ops->get_sset_count() fails then it “count” is a negative error
code such as -EOPNOTSUPP. Because “i” is an unsigned int, the negative
error code is type promoted to a very high value and the loop will
corrupt memory until the system crashes.

Fix this by checking for error codes and changing the type of “i” to
just int.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/dsa/master.c"
    ],
    "versions": [
      {
        "version": "badf3ada60ab",
        "lessThan": "0f2cb08c57ed",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "badf3ada60ab",
        "lessThan": "ce5355f140a7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "badf3ada60ab",
        "lessThan": "caff86f85512",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "badf3ada60ab",
        "lessThan": "7b22466648a4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "badf3ada60ab",
        "lessThan": "a269333fa5c0",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/dsa/master.c"
    ],
    "versions": [
      {
        "version": "4.7",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.7",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.193",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.124",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.42",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.12.9",
        "lessThanOrEqual": "5.12.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.13",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]