CVE-2021-46102 - OpenCVE

From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in the file src/elf.rs has an integer overflow bug because the sym.st_value is read directly from ELF file without checking. If the sym.st_value is rather large, an integer overflow is triggered while calculating the variable "addr" via "addr = (sym.st_value + refd_pa) as u64";

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solanalabs	Rbpf

Configuration 1 [-]

cpe:2.3:a:solanalabs:rbpf:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159ee
https://github.com/solana-labs/rbpf/blob/c14764850f0b83b58aa013248eaf6d65836c1218/src/elf.rs#L609-L630
https://github.com/solana-labs/rbpf/pull/200
https://github.com/solana-labs/rbpf/pull/236

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-01-27T17:44:59

Updated: 2024-08-04T05:02:10.272Z

Reserved: 2022-01-03T00:00:00

Link: CVE-2021-46102

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-27T18:15:07.770

Modified: 2023-04-26T19:10:22.567

Link: CVE-2021-46102

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "From version 0.2.14 to 0.2.16 for Solana rBPF, function \"relocate\" in the file src/elf.rs has an integer overflow bug because the sym.st_value is read directly from ELF file without checking. If the sym.st_value is rather large, an integer overflow is triggered while calculating the variable \"addr\" via \"addr = (sym.st_value + refd_pa) as u64\";"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-27T17:44:59", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159ee"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/solana-labs/rbpf/blob/c14764850f0b83b58aa013248eaf6d65836c1218/src/elf.rs#L609-L630"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/solana-labs/rbpf/pull/200"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/solana-labs/rbpf/pull/236"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-46102", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "From version 0.2.14 to 0.2.16 for Solana rBPF, function \"relocate\" in the file src/elf.rs has an integer overflow bug because the sym.st_value is read directly from ELF file without checking. If the sym.st_value is rather large, an integer overflow is triggered while calculating the variable \"addr\" via \"addr = (sym.st_value + refd_pa) as u64\";"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159ee", "refsource": "MISC", "url": "https://blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159ee"}, {"name": "https://github.com/solana-labs/rbpf/blob/c14764850f0b83b58aa013248eaf6d65836c1218/src/elf.rs#L609-L630", "refsource": "MISC", "url": "https://github.com/solana-labs/rbpf/blob/c14764850f0b83b58aa013248eaf6d65836c1218/src/elf.rs#L609-L630"}, {"name": "https://github.com/solana-labs/rbpf/pull/200", "refsource": "MISC", "url": "https://github.com/solana-labs/rbpf/pull/200"}, {"name": "https://github.com/solana-labs/rbpf/pull/236", "refsource": "MISC", "url": "https://github.com/solana-labs/rbpf/pull/236"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:02:10.272Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159ee"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/solana-labs/rbpf/blob/c14764850f0b83b58aa013248eaf6d65836c1218/src/elf.rs#L609-L630"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/solana-labs/rbpf/pull/200"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/solana-labs/rbpf/pull/236"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-46102", "datePublished": "2022-01-27T17:44:59", "dateReserved": "2022-01-03T00:00:00", "dateUpdated": "2024-08-04T05:02:10.272Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solanalabs:rbpf:*:*:*:*:*:*:*:*", "matchCriteriaId": "91E274CF-612E-48D1-BE5F-3337EA6C15EF", "versionEndIncluding": "0.2.16", "versionStartIncluding": "0.2.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "From version 0.2.14 to 0.2.16 for Solana rBPF, function \"relocate\" in the file src/elf.rs has an integer overflow bug because the sym.st_value is read directly from ELF file without checking. If the sym.st_value is rather large, an integer overflow is triggered while calculating the variable \"addr\" via \"addr = (sym.st_value + refd_pa) as u64\";"}, {"lang": "es", "value": "De la versi\u00f3n 0.2.14 a 0.2.16 para Solana rBPF, la funci\u00f3n \"relocate\" en el archivo src/elf.rs presenta un bug de desbordamiento de enteros porque el sym.st_value es le\u00eddo directamente del archivo ELF sin comprobarlo. Si el sym.st_value es bastante grande, es producido un desbordamiento de enteros mientras es calculada la variable \"addr\" por medio de \"addr = (sym.st_value + refd_pa) as u64\""}], "id": "CVE-2021-46102", "lastModified": "2023-04-26T19:10:22.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-27T18:15:07.770", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159ee"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/solana-labs/rbpf/blob/c14764850f0b83b58aa013248eaf6d65836c1218/src/elf.rs#L609-L630"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/solana-labs/rbpf/pull/200"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/solana-labs/rbpf/pull/236"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}