cve/published/2021/CVE-2021-47282.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47282: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 spi: bcm2835: Fix out-of-bounds access with more than 4 slaves

 Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for
 ->prepare_message()") limited the number of slaves to 3 at compile-time.
 The limitation was necessitated by a statically-sized array prepare_cs[]
 in the driver private data which contains a per-slave register value.

 The commit sought to enforce the limitation at run-time by setting the
 controller's num_chipselect to 3:  Slaves with a higher chipselect are
 rejected by spi_add_device().

 However the commit neglected that num_chipselect only limits the number
 of *native* chipselects.  If GPIO chipselects are specified in the
 device tree for more than 3 slaves, num_chipselect is silently raised by
 of_spi_get_gpio_numbers() and the result are out-of-bounds accesses to
 the statically-sized array prepare_cs[].

 As a bandaid fix which is backportable to stable, raise the number of
 allowed slaves to 24 (which "ought to be enough for anybody"), enforce
 the limitation on slave ->setup and revert num_chipselect to 3 (which is
 the number of native chipselects supported by the controller).
 An upcoming for-next commit will allow an arbitrary number of slaves.

 The Linux kernel CVE team has assigned CVE-2021-47282 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4 with commit 571e31fa60b3697d5db26140e16d5c45c51c9815 and fixed in 5.4.126 with commit b5502580cf958b094f3b69dfe4eece90eae01fbc
 	Issue introduced in 5.4 with commit 571e31fa60b3697d5db26140e16d5c45c51c9815 and fixed in 5.10.44 with commit 82a8ffba54d31e97582051cb56ba1f988018681e
 	Issue introduced in 5.4 with commit 571e31fa60b3697d5db26140e16d5c45c51c9815 and fixed in 5.12.11 with commit 01415ff85a24308059e06ca3e97fd7bf75648690
 	Issue introduced in 5.4 with commit 571e31fa60b3697d5db26140e16d5c45c51c9815 and fixed in 5.13 with commit 13817d466eb8713a1ffd254f537402f091d48444

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47282
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/spi/spi-bcm2835.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b5502580cf958b094f3b69dfe4eece90eae01fbc
 	https://git.kernel.org/stable/c/82a8ffba54d31e97582051cb56ba1f988018681e
 	https://git.kernel.org/stable/c/01415ff85a24308059e06ca3e97fd7bf75648690
 	https://git.kernel.org/stable/c/13817d466eb8713a1ffd254f537402f091d48444
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47282: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	spi: bcm2835: Fix out-of-bounds access with more than 4 slaves

	Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for
	->prepare_message()") limited the number of slaves to 3 at compile-time.
	The limitation was necessitated by a statically-sized array prepare_cs[]
	in the driver private data which contains a per-slave register value.

	The commit sought to enforce the limitation at run-time by setting the
	controller's num_chipselect to 3: Slaves with a higher chipselect are
	rejected by spi_add_device().

	However the commit neglected that num_chipselect only limits the number
	of native chipselects. If GPIO chipselects are specified in the
	device tree for more than 3 slaves, num_chipselect is silently raised by
	of_spi_get_gpio_numbers() and the result are out-of-bounds accesses to
	the statically-sized array prepare_cs[].

	As a bandaid fix which is backportable to stable, raise the number of
	allowed slaves to 24 (which "ought to be enough for anybody"), enforce
	the limitation on slave ->setup and revert num_chipselect to 3 (which is
	the number of native chipselects supported by the controller).
	An upcoming for-next commit will allow an arbitrary number of slaves.

	The Linux kernel CVE team has assigned CVE-2021-47282 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4 with commit 571e31fa60b3697d5db26140e16d5c45c51c9815 and fixed in 5.4.126 with commit b5502580cf958b094f3b69dfe4eece90eae01fbc
	Issue introduced in 5.4 with commit 571e31fa60b3697d5db26140e16d5c45c51c9815 and fixed in 5.10.44 with commit 82a8ffba54d31e97582051cb56ba1f988018681e
	Issue introduced in 5.4 with commit 571e31fa60b3697d5db26140e16d5c45c51c9815 and fixed in 5.12.11 with commit 01415ff85a24308059e06ca3e97fd7bf75648690
	Issue introduced in 5.4 with commit 571e31fa60b3697d5db26140e16d5c45c51c9815 and fixed in 5.13 with commit 13817d466eb8713a1ffd254f537402f091d48444

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47282
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/spi/spi-bcm2835.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b5502580cf958b094f3b69dfe4eece90eae01fbc
	https://git.kernel.org/stable/c/82a8ffba54d31e97582051cb56ba1f988018681e
	https://git.kernel.org/stable/c/01415ff85a24308059e06ca3e97fd7bf75648690
	https://git.kernel.org/stable/c/13817d466eb8713a1ffd254f537402f091d48444