| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()\n\nFix an 11-year old bug in ngene_command_config_free_buf() while\naddressing the following warnings caught with -Warray-bounds:\n\narch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\narch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\n\nThe problem is that the original code is trying to copy 6 bytes of\ndata into a one-byte size member _config_ of the wrong structue\nFW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a\nlegitimate compiler warning because memcpy() overruns the length\nof &com.cmd.ConfigureBuffers.config. It seems that the right\nstructure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains\n6 more members apart from the header _hdr_. Also, the name of\nthe function ngene_command_config_free_buf() suggests that the actual\nintention is to ConfigureFreeBuffers, instead of ConfigureBuffers\n(which takes place in the function ngene_command_config_buf(), above).\n\nFix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS\ninto new struct config, and use &com.cmd.ConfigureFreeBuffers.config as\nthe destination address, instead of &com.cmd.ConfigureBuffers.config,\nwhen calling memcpy().\n\nThis also helps with the ongoing efforts to globally enable\n-Warray-bounds and get us closer to being able to tighten the\nFORTIFY_SOURCE routines on memcpy()." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/media/pci/ngene/ngene-core.c", |
| "drivers/media/pci/ngene/ngene.h" |
| ], |
| "versions": [ |
| { |
| "version": "dae52d009fc950b5c209260d50fcc000f5becd3c", |
| "lessThan": "4487b968e5eacd02c493303dc2b61150bb7fe4b2", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "dae52d009fc950b5c209260d50fcc000f5becd3c", |
| "lessThan": "c6ddeb63dd543b5474b0217c4e47538b7ffd7686", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "dae52d009fc950b5c209260d50fcc000f5becd3c", |
| "lessThan": "e818f2ff648581a6c553ae2bebc5dcef9a8bb90c", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "dae52d009fc950b5c209260d50fcc000f5becd3c", |
| "lessThan": "ec731c6ef564ee6fc101fc5d73e3a3a953d09a00", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "dae52d009fc950b5c209260d50fcc000f5becd3c", |
| "lessThan": "e617fa62f6cf859a7b042cdd6c73af905ff8fca3", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "dae52d009fc950b5c209260d50fcc000f5becd3c", |
| "lessThan": "e991457afdcb5f4dbc5bc9d79eaf775be33e7092", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "dae52d009fc950b5c209260d50fcc000f5becd3c", |
| "lessThan": "b9a178f189bb6d75293573e181928735f5e3e070", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "dae52d009fc950b5c209260d50fcc000f5becd3c", |
| "lessThan": "8d4abca95ecc82fc8c41912fa0085281f19cc29f", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/media/pci/ngene/ngene-core.c", |
| "drivers/media/pci/ngene/ngene.h" |
| ], |
| "versions": [ |
| { |
| "version": "2.6.34", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "2.6.34", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.4.277", |
| "lessThanOrEqual": "4.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.9.277", |
| "lessThanOrEqual": "4.9.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.14.241", |
| "lessThanOrEqual": "4.14.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.19.199", |
| "lessThanOrEqual": "4.19.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.136", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.54", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.13.6", |
| "lessThanOrEqual": "5.13.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.14", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "4.4.277" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "4.9.277" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "4.14.241" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "4.19.199" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "5.4.136" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "5.10.54" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "5.13.6" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "2.6.34", |
| "versionEndExcluding": "5.14" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/4487b968e5eacd02c493303dc2b61150bb7fe4b2" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/c6ddeb63dd543b5474b0217c4e47538b7ffd7686" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/e818f2ff648581a6c553ae2bebc5dcef9a8bb90c" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/ec731c6ef564ee6fc101fc5d73e3a3a953d09a00" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/e617fa62f6cf859a7b042cdd6c73af905ff8fca3" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/e991457afdcb5f4dbc5bc9d79eaf775be33e7092" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/b9a178f189bb6d75293573e181928735f5e3e070" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/8d4abca95ecc82fc8c41912fa0085281f19cc29f" |
| } |
| ], |
| "title": "media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2021-47288", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
