Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2021-47346

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
21/05/2024
Last modified:
06/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()<br /> <br /> commit 6f755e85c332 ("coresight: Add helper for inserting synchronization<br /> packets") removed trailing &amp;#39;\0&amp;#39; from barrier_pkt array and updated the<br /> call sites like etb_update_buffer() to have proper checks for barrier_pkt<br /> size before read but missed updating tmc_update_etf_buffer() which still<br /> reads barrier_pkt past the array size resulting in KASAN out-of-bounds<br /> bug. Fix this by adding a check for barrier_pkt size before accessing<br /> like it is done in etb_update_buffer().<br /> <br /> BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698<br /> Read of size 4 at addr ffffffd05b7d1030 by task perf/2629<br /> <br /> Call trace:<br /> dump_backtrace+0x0/0x27c<br /> show_stack+0x20/0x2c<br /> dump_stack+0x11c/0x188<br /> print_address_description+0x3c/0x4a4<br /> __kasan_report+0x140/0x164<br /> kasan_report+0x10/0x18<br /> __asan_report_load4_noabort+0x1c/0x24<br /> tmc_update_etf_buffer+0x4b8/0x698<br /> etm_event_stop+0x248/0x2d8<br /> etm_event_del+0x20/0x2c<br /> event_sched_out+0x214/0x6f0<br /> group_sched_out+0xd0/0x270<br /> ctx_sched_out+0x2ec/0x518<br /> __perf_event_task_sched_out+0x4fc/0xe6c<br /> __schedule+0x1094/0x16a0<br /> preempt_schedule_irq+0x88/0x170<br /> arm64_preempt_schedule_irq+0xf0/0x18c<br /> el1_irq+0xe8/0x180<br /> perf_event_exec+0x4d8/0x56c<br /> setup_new_exec+0x204/0x400<br /> load_elf_binary+0x72c/0x18c0<br /> search_binary_handler+0x13c/0x420<br /> load_script+0x500/0x6c4<br /> search_binary_handler+0x13c/0x420<br /> exec_binprm+0x118/0x654<br /> __do_execve_file+0x77c/0xba4<br /> __arm64_compat_sys_execve+0x98/0xac<br /> el0_svc_common+0x1f8/0x5e0<br /> el0_svc_compat_handler+0x84/0xb0<br /> el0_svc_compat+0x10/0x50<br /> <br /> The buggy address belongs to the variable:<br /> barrier_pkt+0x10/0x40<br /> <br /> Memory state around the buggy address:<br /> ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00<br /> ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03<br /> ^<br /> ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa<br /> ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa<br /> ==================================================================

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): High

Base Score 3.x
7.10
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.14 (including) 4.19.198 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.133 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.51 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.12.18 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.13 (including) 5.13.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools