cve/published/2021/CVE-2021-47476.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47476: comedi: ni_usb6501: fix NULL-deref in command paths

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 comedi: ni_usb6501: fix NULL-deref in command paths

 The driver uses endpoint-sized USB transfer buffers but had no sanity
 checks on the sizes. This can lead to zero-size-pointer dereferences or
 overflowed transfer buffers in ni6501_port_command() and
 ni6501_counter_command() if a (malicious) device has smaller max-packet
 sizes than expected (or when doing descriptor fuzz testing).

 Add the missing sanity checks to probe().

 The Linux kernel CVE team has assigned CVE-2021-47476 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 4.4.292 with commit 58478143771b20ab219937b1c30a706590a59224
 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 4.9.290 with commit aa39738423503825625853b643b9e99d11c23816
 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 4.14.255 with commit df7b1238f3b599a0b9284249772cdfd1ea83a632
 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 4.19.217 with commit bc51111bf6e8e7b6cc94b133e4c291273a16acd1
 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.4.159 with commit b0156b7c9649d8f55a2ce3d3258509f1b2a181c3
 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.10.79 with commit ef143dc0c3defe56730ecd3a9de7b3e1d7e557c1
 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.14.18 with commit 4a9d43cb5d5f39fa39fc1da438517004cc95f7ea
 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.15.2 with commit d6a727a681a39ae4f73081a9bedb45d14f95bdd1
 	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.16 with commit 907767da8f3a925b060c740e0b5c92ea7dbec440

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47476
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/comedi/drivers/ni_usb6501.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/58478143771b20ab219937b1c30a706590a59224
 	https://git.kernel.org/stable/c/aa39738423503825625853b643b9e99d11c23816
 	https://git.kernel.org/stable/c/df7b1238f3b599a0b9284249772cdfd1ea83a632
 	https://git.kernel.org/stable/c/bc51111bf6e8e7b6cc94b133e4c291273a16acd1
 	https://git.kernel.org/stable/c/b0156b7c9649d8f55a2ce3d3258509f1b2a181c3
 	https://git.kernel.org/stable/c/ef143dc0c3defe56730ecd3a9de7b3e1d7e557c1
 	https://git.kernel.org/stable/c/4a9d43cb5d5f39fa39fc1da438517004cc95f7ea
 	https://git.kernel.org/stable/c/d6a727a681a39ae4f73081a9bedb45d14f95bdd1
 	https://git.kernel.org/stable/c/907767da8f3a925b060c740e0b5c92ea7dbec440
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47476: comedi: ni_usb6501: fix NULL-deref in command paths

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	comedi: ni_usb6501: fix NULL-deref in command paths

	The driver uses endpoint-sized USB transfer buffers but had no sanity
	checks on the sizes. This can lead to zero-size-pointer dereferences or
	overflowed transfer buffers in ni6501_port_command() and
	ni6501_counter_command() if a (malicious) device has smaller max-packet
	sizes than expected (or when doing descriptor fuzz testing).

	Add the missing sanity checks to probe().

	The Linux kernel CVE team has assigned CVE-2021-47476 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 4.4.292 with commit 58478143771b20ab219937b1c30a706590a59224
	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 4.9.290 with commit aa39738423503825625853b643b9e99d11c23816
	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 4.14.255 with commit df7b1238f3b599a0b9284249772cdfd1ea83a632
	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 4.19.217 with commit bc51111bf6e8e7b6cc94b133e4c291273a16acd1
	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.4.159 with commit b0156b7c9649d8f55a2ce3d3258509f1b2a181c3
	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.10.79 with commit ef143dc0c3defe56730ecd3a9de7b3e1d7e557c1
	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.14.18 with commit 4a9d43cb5d5f39fa39fc1da438517004cc95f7ea
	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.15.2 with commit d6a727a681a39ae4f73081a9bedb45d14f95bdd1
	Issue introduced in 3.18 with commit a03bb00e50ab4c07107da58a52a0bff7943f360c and fixed in 5.16 with commit 907767da8f3a925b060c740e0b5c92ea7dbec440

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47476
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/comedi/drivers/ni_usb6501.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/58478143771b20ab219937b1c30a706590a59224
	https://git.kernel.org/stable/c/aa39738423503825625853b643b9e99d11c23816
	https://git.kernel.org/stable/c/df7b1238f3b599a0b9284249772cdfd1ea83a632
	https://git.kernel.org/stable/c/bc51111bf6e8e7b6cc94b133e4c291273a16acd1
	https://git.kernel.org/stable/c/b0156b7c9649d8f55a2ce3d3258509f1b2a181c3
	https://git.kernel.org/stable/c/ef143dc0c3defe56730ecd3a9de7b3e1d7e557c1
	https://git.kernel.org/stable/c/4a9d43cb5d5f39fa39fc1da438517004cc95f7ea
	https://git.kernel.org/stable/c/d6a727a681a39ae4f73081a9bedb45d14f95bdd1
	https://git.kernel.org/stable/c/907767da8f3a925b060c740e0b5c92ea7dbec440