ghsa-6w3g-x8mp-cp7x
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
comedi: vmk80xx: fix transfer-buffer overflows
The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes.
Commit e1f13c879a7c ("staging: comedi: check validity of wMaxPacketSize of usb endpoints found") inadvertently fixed NULL-pointer dereferences when accessing the transfer buffers in case a malicious device has a zero wMaxPacketSize.
Make sure to allocate buffers large enough to handle also the other accesses that are done without a size check (e.g. byte 18 in vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond the buffers, for example, when doing descriptor fuzzing.
The original driver was for a low-speed device with 8-byte buffers. Support was later added for a device that uses bulk transfers and is presumably a full-speed device with a maximum 64-byte wMaxPacketSize.
{
"affected": [],
"aliases": [
"CVE-2021-47475"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-22T09:15:09Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix transfer-buffer overflows\n\nThe driver uses endpoint-sized USB transfer buffers but up until\nrecently had no sanity checks on the sizes.\n\nCommit e1f13c879a7c (\"staging: comedi: check validity of wMaxPacketSize\nof usb endpoints found\") inadvertently fixed NULL-pointer dereferences\nwhen accessing the transfer buffers in case a malicious device has a\nzero wMaxPacketSize.\n\nMake sure to allocate buffers large enough to handle also the other\naccesses that are done without a size check (e.g. byte 18 in\nvmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond\nthe buffers, for example, when doing descriptor fuzzing.\n\nThe original driver was for a low-speed device with 8-byte buffers.\nSupport was later added for a device that uses bulk transfers and is\npresumably a full-speed device with a maximum 64-byte wMaxPacketSize.",
"id": "GHSA-6w3g-x8mp-cp7x",
"modified": "2024-05-22T09:31:46Z",
"published": "2024-05-22T09:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47475"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/06ac746d57e6d32b062e220415c607b7e2e0fa50"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a48c7d47"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a23461c47482fc232ffc9b819539d1f837adf2b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.