{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47475", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-22T06:20:56.200Z", "datePublished": "2024-05-22T08:19:29.423Z", "dateUpdated": "2024-11-04T12:06:38.963Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:06:38.963Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix transfer-buffer overflows\n\nThe driver uses endpoint-sized USB transfer buffers but up until\nrecently had no sanity checks on the sizes.\n\nCommit e1f13c879a7c (\"staging: comedi: check validity of wMaxPacketSize\nof usb endpoints found\") inadvertently fixed NULL-pointer dereferences\nwhen accessing the transfer buffers in case a malicious device has a\nzero wMaxPacketSize.\n\nMake sure to allocate buffers large enough to handle also the other\naccesses that are done without a size check (e.g. byte 18 in\nvmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond\nthe buffers, for example, when doing descriptor fuzzing.\n\nThe original driver was for a low-speed device with 8-byte buffers.\nSupport was later added for a device that uses bulk transfers and is\npresumably a full-speed device with a maximum 64-byte wMaxPacketSize."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/comedi/drivers/vmk80xx.c"], "versions": [{"version": "985cafccbf9b", "lessThan": "5229159f1d05", "status": "affected", "versionType": "git"}, {"version": "985cafccbf9b", "lessThan": "ec85bcff4ed0", "status": "affected", "versionType": "git"}, {"version": "985cafccbf9b", "lessThan": "40d2a7e278e2", "status": "affected", "versionType": "git"}, {"version": "985cafccbf9b", "lessThan": "7a2021b896de", "status": "affected", "versionType": "git"}, {"version": "985cafccbf9b", "lessThan": "199acd8c110e", "status": "affected", "versionType": "git"}, {"version": "985cafccbf9b", "lessThan": "33d7a470730d", "status": "affected", "versionType": "git"}, {"version": "985cafccbf9b", "lessThan": "278484ae9329", "status": "affected", "versionType": "git"}, {"version": "985cafccbf9b", "lessThan": "06ac746d57e6", "status": "affected", "versionType": "git"}, {"version": "985cafccbf9b", "lessThan": "a23461c47482", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/comedi/drivers/vmk80xx.c"], "versions": [{"version": "2.6.31", "status": "affected"}, {"version": "0", "lessThan": "2.6.31", "status": "unaffected", "versionType": "semver"}, {"version": "4.4.292", "lessThanOrEqual": "4.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.290", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.255", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.217", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.159", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.79", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.14.18", "lessThanOrEqual": "5.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.2", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f"}, {"url": "https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba"}, {"url": "https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7"}, {"url": "https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088"}, {"url": "https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9"}, {"url": "https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00"}, {"url": "https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a48c7d47"}, {"url": "https://git.kernel.org/stable/c/06ac746d57e6d32b062e220415c607b7e2e0fa50"}, {"url": "https://git.kernel.org/stable/c/a23461c47482fc232ffc9b819539d1f837adf2b1"}], "title": "comedi: vmk80xx: fix transfer-buffer overflows", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T17:52:35.271810Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:48.725Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.742Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a48c7d47", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/06ac746d57e6d32b062e220415c607b7e2e0fa50", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a23461c47482fc232ffc9b819539d1f837adf2b1", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a48c7d47", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/06ac746d57e6d32b062e220415c607b7e2e0fa50", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a23461c47482fc232ffc9b819539d1f837adf2b1", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:39:59.742Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T17:52:35.271810Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:25.588Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "comedi: vmk80xx: fix transfer-buffer overflows", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "985cafccbf9b", "lessThan": "5229159f1d05", "versionType": "git"}, {"status": "affected", "version": "985cafccbf9b", "lessThan": "ec85bcff4ed0", "versionType": "git"}, {"status": "affected", "version": "985cafccbf9b", "lessThan": "40d2a7e278e2", "versionType": "git"}, {"status": "affected", "version": "985cafccbf9b", "lessThan": "7a2021b896de", "versionType": "git"}, {"status": "affected", "version": "985cafccbf9b", "lessThan": "199acd8c110e", "versionType": "git"}, {"status": "affected", "version": "985cafccbf9b", "lessThan": "33d7a470730d", "versionType": "git"}, {"status": "affected", "version": "985cafccbf9b", "lessThan": "278484ae9329", "versionType": "git"}, {"status": "affected", "version": "985cafccbf9b", "lessThan": "06ac746d57e6", "versionType": "git"}, {"status": "affected", "version": "985cafccbf9b", "lessThan": "a23461c47482", "versionType": "git"}], "programFiles": ["drivers/comedi/drivers/vmk80xx.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.31"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.31", "versionType": "semver"}, {"status": "unaffected", "version": "4.4.292", "versionType": "semver", "lessThanOrEqual": "4.4.*"}, {"status": "unaffected", "version": "4.9.290", "versionType": "semver", "lessThanOrEqual": "4.9.*"}, {"status": "unaffected", "version": "4.14.255", "versionType": "semver", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.217", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.159", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.79", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.14.18", "versionType": "semver", "lessThanOrEqual": "5.14.*"}, {"status": "unaffected", "version": "5.15.2", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16", "versionType": "semver", "lessThanOrEqual": "*"}], "programFiles": ["drivers/comedi/drivers/vmk80xx.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f"}, {"url": "https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba"}, {"url": "https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7"}, {"url": "https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088"}, {"url": "https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9"}, {"url": "https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00"}, {"url": "https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a48c7d47"}, {"url": "https://git.kernel.org/stable/c/06ac746d57e6d32b062e220415c607b7e2e0fa50"}, {"url": "https://git.kernel.org/stable/c/a23461c47482fc232ffc9b819539d1f837adf2b1"}], "x_generator": {"engine": "bippy-c8e10e5f6187"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix transfer-buffer overflows\n\nThe driver uses endpoint-sized USB transfer buffers but up until\nrecently had no sanity checks on the sizes.\n\nCommit e1f13c879a7c (\"staging: comedi: check validity of wMaxPacketSize\nof usb endpoints found\") inadvertently fixed NULL-pointer dereferences\nwhen accessing the transfer buffers in case a malicious device has a\nzero wMaxPacketSize.\n\nMake sure to allocate buffers large enough to handle also the other\naccesses that are done without a size check (e.g. byte 18 in\nvmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond\nthe buffers, for example, when doing descriptor fuzzing.\n\nThe original driver was for a low-speed device with 8-byte buffers.\nSupport was later added for a device that uses bulk transfers and is\npresumably a full-speed device with a maximum 64-byte wMaxPacketSize."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T11:42:00.581Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47475", "state": "PUBLISHED", "dateUpdated": "2024-11-04T11:42:00.581Z", "dateReserved": "2024-05-22T06:20:56.200Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-22T08:19:29.423Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix transfer-buffer overflows\n\nThe driver uses endpoint-sized USB transfer buffers but up until\nrecently had no sanity checks on the sizes.\n\nCommit e1f13c879a7c (\"staging: comedi: check validity of wMaxPacketSize\nof usb endpoints found\") inadvertently fixed NULL-pointer dereferences\nwhen accessing the transfer buffers in case a malicious device has a\nzero wMaxPacketSize.\n\nMake sure to allocate buffers large enough to handle also the other\naccesses that are done without a size check (e.g. byte 18 in\nvmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond\nthe buffers, for example, when doing descriptor fuzzing.\n\nThe original driver was for a low-speed device with 8-byte buffers.\nSupport was later added for a device that uses bulk transfers and is\npresumably a full-speed device with a maximum 64-byte wMaxPacketSize."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: comedi: vmk80xx: corrige desbordamientos del b\u00fafer de transferencia El controlador utiliza b\u00faferes de transferencia USB del tama\u00f1o de un terminal, pero hasta hace poco no ten\u00eda controles de cordura sobre los tama\u00f1os. el commit e1f13c879a7c (\"staging: comedi: verificar la validez de wMaxPacketSize de los endpoints USB encontrados\") corrigi\u00f3 inadvertidamente las desreferencias de puntero NULL al acceder a los buffers de transferencia en caso de que un dispositivo malicioso tenga un wMaxPacketSize cero. Aseg\u00farese de asignar buffers lo suficientemente grandes para manejar tambi\u00e9n los otros accesos que se realizan sin una verificaci\u00f3n de tama\u00f1o (por ejemplo, el byte 18 en vmk80xx_cnt_insn_read() para VMK8061_MODEL) para evitar escribir m\u00e1s all\u00e1 de los buffers, por ejemplo, cuando se realiza una confusi\u00f3n de descriptores. El controlador original era para un dispositivo de baja velocidad con buffers de 8 bytes. Posteriormente se agreg\u00f3 soporte para un dispositivo que utiliza transferencias masivas y presumiblemente es un dispositivo de velocidad completa con un wMaxPacketSize m\u00e1ximo de 64 bytes."}], "id": "CVE-2021-47475", "lastModified": "2024-05-22T12:46:53.887", "metrics": {}, "published": "2024-05-22T09:15:09.370", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/06ac746d57e6d32b062e220415c607b7e2e0fa50"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/199acd8c110e3ae62833c24f632b0bb1c9f012a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/278484ae93297b1bb1ce755f9d3b6d95a48c7d47"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/33d7a470730dfe7c9bfc8da84575cf2cedd60d00"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/40d2a7e278e2e7c0a5fd7e997e7eb63945bf93f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5229159f1d052821007aff1a1beb7873eacf1a9f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7a2021b896de1ad559d33b5c5cdd20b982242088"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a23461c47482fc232ffc9b819539d1f837adf2b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ec85bcff4ed09260243d8f39faba99e1041718ba"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: comedi: vmk80xx: fix transfer-buffer overflows", "id": "2282948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282948"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ncomedi: vmk80xx: fix transfer-buffer overflows\nThe driver uses endpoint-sized USB transfer buffers but up until\nrecently had no sanity checks on the sizes.\nCommit e1f13c879a7c (\"staging: comedi: check validity of wMaxPacketSize\nof usb endpoints found\") inadvertently fixed NULL-pointer dereferences\nwhen accessing the transfer buffers in case a malicious device has a\nzero wMaxPacketSize.\nMake sure to allocate buffers large enough to handle also the other\naccesses that are done without a size check (e.g. byte 18 in\nvmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond\nthe buffers, for example, when doing descriptor fuzzing.\nThe original driver was for a low-speed device with 8-byte buffers.\nSupport was later added for a device that uses bulk transfers and is\npresumably a full-speed device with a maximum 64-byte wMaxPacketSize.", "A flaw was found in the vmk80xx module in the Linux kernel. Memory buffer allocations with incorrect sizes can result in an out-of-bounds write when performing descriptor fuzzing."], "name": "CVE-2021-47475", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47475\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47475\nhttps://lore.kernel.org/linux-cve-announce/2024052236-CVE-2021-47475-6524@gregkh/T"], "statement": "The vmk80xx module is not built in the kernel shipped in Red Hat Enterprise Linux, so it is not affected by this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "kernel 4.4.292, kernel 4.9.290, kernel 4.14.255, kernel 4.19.217, kernel 5.4.159, kernel 5.10.79, kernel 5.14.18, kernel 5.15.2, kernel 5.16"}