[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024052154-CVE-2021-47282-edd8@gregkh>
Date: Tue, 21 May 2024 16:20:36 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2021-47282: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
spi: bcm2835: Fix out-of-bounds access with more than 4 slaves
Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for
->prepare_message()") limited the number of slaves to 3 at compile-time.
The limitation was necessitated by a statically-sized array prepare_cs[]
in the driver private data which contains a per-slave register value.
The commit sought to enforce the limitation at run-time by setting the
controller's num_chipselect to 3: Slaves with a higher chipselect are
rejected by spi_add_device().
However the commit neglected that num_chipselect only limits the number
of *native* chipselects. If GPIO chipselects are specified in the
device tree for more than 3 slaves, num_chipselect is silently raised by
of_spi_get_gpio_numbers() and the result are out-of-bounds accesses to
the statically-sized array prepare_cs[].
As a bandaid fix which is backportable to stable, raise the number of
allowed slaves to 24 (which "ought to be enough for anybody"), enforce
the limitation on slave ->setup and revert num_chipselect to 3 (which is
the number of native chipselects supported by the controller).
An upcoming for-next commit will allow an arbitrary number of slaves.
The Linux kernel CVE team has assigned CVE-2021-47282 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.4 with commit 571e31fa60b3 and fixed in 5.4.126 with commit b5502580cf95
Issue introduced in 5.4 with commit 571e31fa60b3 and fixed in 5.10.44 with commit 82a8ffba54d3
Issue introduced in 5.4 with commit 571e31fa60b3 and fixed in 5.12.11 with commit 01415ff85a24
Issue introduced in 5.4 with commit 571e31fa60b3 and fixed in 5.13 with commit 13817d466eb8
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47282
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/spi/spi-bcm2835.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/b5502580cf958b094f3b69dfe4eece90eae01fbc
https://git.kernel.org/stable/c/82a8ffba54d31e97582051cb56ba1f988018681e
https://git.kernel.org/stable/c/01415ff85a24308059e06ca3e97fd7bf75648690
https://git.kernel.org/stable/c/13817d466eb8713a1ffd254f537402f091d48444
Powered by blists - more mailing lists