CVE-2021-47240 net: qrtr: fix OOB Read in qrtr_endpoint_post

2024-05-2114:19:40

Linux

github.com

linux kernel

vulnerability

net

qrtr

oob read

fix

slab-out-of-bounds

syzbot

skb_put_data

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: fix OOB Read in qrtr_endpoint_post

Syzbot reported slab-out-of-bounds Read in
qrtr_endpoint_post. The problem was in wrong
size type:

if (len != ALIGN(size, 4) + hdrlen)
	goto err;

If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of
ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293
in header this check won’t fail and

skb_put_data(skb, data + hdrlen, size);

will read out of bound from data, which is hdrlen allocated block.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/qrtr/qrtr.c"
    ],
    "versions": [
      {
        "version": "194ccc88297a",
        "lessThan": "f8111c0d7ed4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "194ccc88297a",
        "lessThan": "26b8d10703a9",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "194ccc88297a",
        "lessThan": "960b08dd36de",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "194ccc88297a",
        "lessThan": "19892ab9c9d8",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "194ccc88297a",
        "lessThan": "ad9d24c9429e",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/qrtr/qrtr.c"
    ],
    "versions": [
      {
        "version": "4.15",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.15",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.196",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.128",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.46",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.12.13",
        "lessThanOrEqual": "5.12.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.13",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]