CVE-2021-47476

In the Linux kernel, the following vulnerability has been resolved: comedi: ni_usb6501: fix NULL-deref in command paths The driver uses endpoint-sized USB transfer buffers but had no sanity checks on the sizes. This can lead to zero-size-pointer dereferences or overflowed transfer buffers in ni6501_port_command() and ni6501_counter_command() if a (malicious) device has smaller max-packet sizes than expected (or when doing descriptor fuzz testing). Add the missing sanity checks to probe().

CVSS

No CVSS.

References

Link	Resource
https://git.kernel.org/stable/c/4a9d43cb5d5f39fa39fc1da438517004cc95f7ea
https://git.kernel.org/stable/c/58478143771b20ab219937b1c30a706590a59224
https://git.kernel.org/stable/c/907767da8f3a925b060c740e0b5c92ea7dbec440
https://git.kernel.org/stable/c/aa39738423503825625853b643b9e99d11c23816
https://git.kernel.org/stable/c/b0156b7c9649d8f55a2ce3d3258509f1b2a181c3
https://git.kernel.org/stable/c/bc51111bf6e8e7b6cc94b133e4c291273a16acd1
https://git.kernel.org/stable/c/d6a727a681a39ae4f73081a9bedb45d14f95bdd1
https://git.kernel.org/stable/c/df7b1238f3b599a0b9284249772cdfd1ea83a632
https://git.kernel.org/stable/c/ef143dc0c3defe56730ecd3a9de7b3e1d7e557c1

Configurations

No configuration.

History

03 Jul 2024, 01:38

Type	Values Removed	Values Added
CWE		CWE-476
Summary		(es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: ni_usb6501: corrige NULL-deref en las rutas de comando El controlador usa búferes de transferencia USB del tamaño de un terminal, pero no tuvo controles de cordura en los tamaños. Esto puede provocar desreferencias de puntero de tamaño cero o búferes de transferencia desbordados en ni6501_port_command() y ni6501_counter_command() si un dispositivo (malicioso) tiene tamaños máximos de paquetes más pequeños de lo esperado (o cuando se realizan pruebas de descriptor difuso). Agregue las comprobaciones de cordura que faltan a probe().

22 May 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-22 09:15

Updated : 2024-07-03 01:38

NVD link : CVE-2021-47476

Mitre link : CVE-2021-47476

CVE.ORG link : CVE-2021-47476

JSON object : View

Products Affected

No product.

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2021-47476", "cveTags": [], "metrics": {}, "published": "2024-05-22T09:15:09.470", "references": [{"url": "https://git.kernel.org/stable/c/4a9d43cb5d5f39fa39fc1da438517004cc95f7ea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/58478143771b20ab219937b1c30a706590a59224", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/907767da8f3a925b060c740e0b5c92ea7dbec440", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa39738423503825625853b643b9e99d11c23816", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0156b7c9649d8f55a2ce3d3258509f1b2a181c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bc51111bf6e8e7b6cc94b133e4c291273a16acd1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d6a727a681a39ae4f73081a9bedb45d14f95bdd1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/df7b1238f3b599a0b9284249772cdfd1ea83a632", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ef143dc0c3defe56730ecd3a9de7b3e1d7e557c1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: ni_usb6501: fix NULL-deref in command paths\n\nThe driver uses endpoint-sized USB transfer buffers but had no sanity\nchecks on the sizes. This can lead to zero-size-pointer dereferences or\noverflowed transfer buffers in ni6501_port_command() and\nni6501_counter_command() if a (malicious) device has smaller max-packet\nsizes than expected (or when doing descriptor fuzz testing).\n\nAdd the missing sanity checks to probe()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: comedi: ni_usb6501: corrige NULL-deref en las rutas de comando El controlador usa b\u00faferes de transferencia USB del tama\u00f1o de un terminal, pero no tuvo controles de cordura en los tama\u00f1os. Esto puede provocar desreferencias de puntero de tama\u00f1o cero o b\u00faferes de transferencia desbordados en ni6501_port_command() y ni6501_counter_command() si un dispositivo (malicioso) tiene tama\u00f1os m\u00e1ximos de paquetes m\u00e1s peque\u00f1os de lo esperado (o cuando se realizan pruebas de descriptor difuso). Agregue las comprobaciones de cordura que faltan a probe()."}], "lastModified": "2024-07-03T01:38:00.540", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}