Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2021 / CVE-2021-47633.mbox
blob: a5ec8ea6cabeec013005e5682ff9d5ea45ce87eb [file] [log] [blame]
From bippy-1.2.0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@kernel.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2021-47633: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
The bug was found during fuzzing. Stacktrace locates it in
ath5k_eeprom_convert_pcal_info_5111.
When none of the curve is selected in the loop, idx can go
up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.
pd = &chinfo[pier].pd_curves[idx];
There are many OOB writes using pd later in the code. So I
added a sanity check for idx. Checks for other loops involving
AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not
used outside the loops.
The patch is NOT tested with real device.
The following is the fuzzing report
BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
Write of size 1 at addr ffff8880174a4d60 by task modprobe/214
CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
__kasan_report.cold+0x37/0x7c
? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
kasan_report+0xe/0x20
ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]
ath5k_eeprom_init+0x2513/0x6290 [ath5k]
? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
? usleep_range+0xb8/0x100
? apic_timer_interrupt+0xa/0x20
? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]
ath5k_hw_init+0xb60/0x1970 [ath5k]
ath5k_init_ah+0x6fe/0x2530 [ath5k]
? kasprintf+0xa6/0xe0
? ath5k_stop+0x140/0x140 [ath5k]
? _dev_notice+0xf6/0xf6
? apic_timer_interrupt+0xa/0x20
ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
? mutex_lock+0x89/0xd0
? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
local_pci_probe+0xd3/0x160
pci_device_probe+0x23f/0x3e0
? pci_device_remove+0x280/0x280
? pci_device_remove+0x280/0x280
really_probe+0x209/0x5d0
The Linux kernel CVE team has assigned CVE-2021-47633 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 4.9.311 with commit f4de974019a0adf34d0e7de6b86252f1bd266b06
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 4.14.276 with commit ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 4.19.238 with commit 25efc5d03455c3839249bc77fce5e29ecb54677e
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 5.4.189 with commit c4e2f577271e158d87a916afb4e87415a88ce856
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 5.10.111 with commit 9d7d83d0399e23d66fd431b553842a84ac10398f
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 5.15.34 with commit be2f81024e7981565d90a4c9ca3067d11b6bca7f
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 5.16.20 with commit fc8f7752a82f4accb99c0f1a868906ba1eb7b86f
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 5.17.3 with commit cbd96d6cad6625feba9c8d101ed4977d53e82f8e
Issue introduced in 2.6.30 with commit 8e218fb24faef0bfe95bc91b3c05261e20439527 and fixed in 5.18 with commit 564d4eceb97eaf381dd6ef6470b06377bb50c95a
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47633
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/wireless/ath/ath5k/eeprom.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/f4de974019a0adf34d0e7de6b86252f1bd266b06
https://git.kernel.org/stable/c/ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84
https://git.kernel.org/stable/c/25efc5d03455c3839249bc77fce5e29ecb54677e
https://git.kernel.org/stable/c/c4e2f577271e158d87a916afb4e87415a88ce856
https://git.kernel.org/stable/c/9d7d83d0399e23d66fd431b553842a84ac10398f
https://git.kernel.org/stable/c/be2f81024e7981565d90a4c9ca3067d11b6bca7f
https://git.kernel.org/stable/c/fc8f7752a82f4accb99c0f1a868906ba1eb7b86f
https://git.kernel.org/stable/c/cbd96d6cad6625feba9c8d101ed4977d53e82f8e
https://git.kernel.org/stable/c/564d4eceb97eaf381dd6ef6470b06377bb50c95a