| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024052236-CVE-2021-47476-5a68@gregkh> Date: Wed, 22 May 2024 10:19:36 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2021-47476: comedi: ni_usb6501: fix NULL-deref in command paths Description =========== In the Linux kernel, the following vulnerability has been resolved: comedi: ni_usb6501: fix NULL-deref in command paths The driver uses endpoint-sized USB transfer buffers but had no sanity checks on the sizes. This can lead to zero-size-pointer dereferences or overflowed transfer buffers in ni6501_port_command() and ni6501_counter_command() if a (malicious) device has smaller max-packet sizes than expected (or when doing descriptor fuzz testing). Add the missing sanity checks to probe(). The Linux kernel CVE team has assigned CVE-2021-47476 to this issue. Affected and fixed versions =========================== Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 4.4.292 with commit 58478143771b Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 4.9.290 with commit aa3973842350 Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 4.14.255 with commit df7b1238f3b5 Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 4.19.217 with commit bc51111bf6e8 Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 5.4.159 with commit b0156b7c9649 Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 5.10.79 with commit ef143dc0c3de Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 5.14.18 with commit 4a9d43cb5d5f Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 5.15.2 with commit d6a727a681a3 Issue introduced in 3.18 with commit a03bb00e50ab and fixed in 5.16 with commit 907767da8f3a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2021-47476 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/comedi/drivers/ni_usb6501.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/58478143771b20ab219937b1c30a706590a59224 https://git.kernel.org/stable/c/aa39738423503825625853b643b9e99d11c23816 https://git.kernel.org/stable/c/df7b1238f3b599a0b9284249772cdfd1ea83a632 https://git.kernel.org/stable/c/bc51111bf6e8e7b6cc94b133e4c291273a16acd1 https://git.kernel.org/stable/c/b0156b7c9649d8f55a2ce3d3258509f1b2a181c3 https://git.kernel.org/stable/c/ef143dc0c3defe56730ecd3a9de7b3e1d7e557c1 https://git.kernel.org/stable/c/4a9d43cb5d5f39fa39fc1da438517004cc95f7ea https://git.kernel.org/stable/c/d6a727a681a39ae4f73081a9bedb45d14f95bdd1 https://git.kernel.org/stable/c/907767da8f3a925b060c740e0b5c92ea7dbec440
Powered by blists - more mailing lists