CVE-2022-48871

{"id": "CVE-2022-48871", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2024-08-21T07:15:04.207", "references": [{"url": "https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer\n\nDriver's probe allocates memory for RX FIFO (port->rx_fifo) based on\ndefault RX FIFO depth, e.g. 16. Later during serial startup the\nqcom_geni_serial_port_setup() updates the RX FIFO depth\n(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.\n\nThe RX UART handle code will read \"port->rx_fifo_depth\" number of words\ninto \"port->rx_fifo\" buffer, thus exceeding the bounds. This can be\nobserved in certain configurations with Qualcomm Bluetooth HCI UART\ndevice and KASAN:\n\n Bluetooth: hci0: QCA Product ID :0x00000010\n Bluetooth: hci0: QCA SOC Version :0x400a0200\n Bluetooth: hci0: QCA ROM Version :0x00000200\n Bluetooth: hci0: QCA Patch Version:0x00000d2b\n Bluetooth: hci0: QCA controller version 0x02000200\n Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv\n bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2\n Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)\n Bluetooth: hci0: QCA Failed to download patch (-2)\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c\n Write of size 4 at addr ffff279347d578c0 by task swapper/0/0\n\n CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26\n Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)\n Call trace:\n dump_backtrace.part.0+0xe0/0xf0\n show_stack+0x18/0x40\n dump_stack_lvl+0x8c/0xb8\n print_report+0x188/0x488\n kasan_report+0xb4/0x100\n __asan_store4+0x80/0xa4\n handle_rx_uart+0xa8/0x18c\n qcom_geni_serial_handle_rx+0x84/0x9c\n qcom_geni_serial_isr+0x24c/0x760\n __handle_irq_event_percpu+0x108/0x500\n handle_irq_event+0x6c/0x110\n handle_fasteoi_irq+0x138/0x2cc\n generic_handle_domain_irq+0x48/0x64\n\nIf the RX FIFO depth changes after probe, be sure to resize the buffer."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tty: serial: qcom-geni-serial: corrige los l\u00edmites fuera de los l\u00edmites en el b\u00fafer RX FIFO La sonda del controlador asigna memoria para RX FIFO (puerto->rx_fifo) seg\u00fan el valor predeterminado Profundidad FIFO de RX, por ejemplo, 16. M\u00e1s adelante, durante el inicio en serie, qcom_geni_serial_port_setup() actualiza la profundidad FIFO de RX (puerto->rx_fifo_profundidad) para que coincida con las capacidades reales del dispositivo, por ejemplo, a 32. El c\u00f3digo de identificador de RX UART leer\u00e1 el n\u00famero \"puerto->rx_fifo_profundidad\" de palabras en el b\u00fafer \"port->rx_fifo\", excediendo as\u00ed los l\u00edmites. Esto se puede observar en ciertas configuraciones con el dispositivo Qualcomm Bluetooth HCI UART y KASAN: Bluetooth: hci0: QCA ID de producto: 0x00000010 Bluetooth: hci0: QCA SOC Version: 0x400a0200 Bluetooth: hci0: QCA ROM Version: 0x00000200 Bluetooth: hci0: QCA Patch Version :0x00000d2b Bluetooth: hci0: versi\u00f3n del controlador QCA 0x02000200 Bluetooth: hci0: QCA Descargando qca/htbtfw20.tlv bluetooth hci0: La carga directa del firmware para qca/htbtfw20.tlv fall\u00f3 con el error -2 Bluetooth: hci0: QCA No se pudo solicitar el archivo: qca/ htbtfw20.tlv (-2) Bluetooth: hci0: QCA Error al descargar el parche (-2) =============================== ==================================== ERROR: KASAN: losa fuera de los l\u00edmites en handle_rx_uart+ 0xa8/0x18c Escritura de tama\u00f1o 4 en la direcci\u00f3n ffff279347d578c0 mediante task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26 Nombre de hardware: Qualcomm Technologies, Inc Rob\u00f3tica RB5 (DT) Seguimiento de llamadas: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x8c/0xb8 print_report+0x188/0x488 kasan_report+0xb4/0x100 __asan_store4+0x80/0xa4 handle_rx_uart+0xa. 8/0x18c qcom_geni_serial_handle_rx+ 0x84/0x9c qcom_geni_serial_isr+0x24c/0x760 __handle_irq_event_percpu+0x108/0x500 handle_irq_event+0x6c/0x110 handle_fasteoi_irq+0x138/0x2cc generic_handle_domain_irq+0x48/0x64 Si la profundidad FIFO de RX cambia despu\u00e9s sonda, aseg\u00farese de cambiar el tama\u00f1o del b\u00fafer."}], "lastModified": "2024-09-06T14:23:03.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D1B38E6-531E-4689-A204-9E0178E886F5", "versionEndExcluding": "5.10.165", "versionStartIncluding": "5.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E995CDA5-7223-4FDB-BAD3-81B22C763A43", "versionEndExcluding": "5.15.90", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6AFE6C9-3F59-4711-B2CF-7D6682FF6BD0", "versionEndExcluding": "6.1.8", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}