Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnrichmentLinuxVULNRICHMENT:CVE-2021-47346
HistoryMay 21, 2024 - 2:35 p.m.

CVE-2021-47346 coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()

2024-05-2114:35:52
Linux
github.com
linux kernel
vulnerability
coresight
tmc-etf
global-out-of-bounds
kasan
bug
security

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%

JSON

In the Linux kernel, the following vulnerability has been resolved:

coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()

commit 6f755e85c332 (“coresight: Add helper for inserting synchronization
packets”) removed trailing ‘\0’ from barrier_pkt array and updated the
call sites like etb_update_buffer() to have proper checks for barrier_pkt
size before read but missed updating tmc_update_etf_buffer() which still
reads barrier_pkt past the array size resulting in KASAN out-of-bounds
bug. Fix this by adding a check for barrier_pkt size before accessing
like it is done in etb_update_buffer().

BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698
Read of size 4 at addr ffffffd05b7d1030 by task perf/2629

Call trace:
dump_backtrace+0x0/0x27c
show_stack+0x20/0x2c
dump_stack+0x11c/0x188
print_address_description+0x3c/0x4a4
__kasan_report+0x140/0x164
kasan_report+0x10/0x18
__asan_report_load4_noabort+0x1c/0x24
tmc_update_etf_buffer+0x4b8/0x698
etm_event_stop+0x248/0x2d8
etm_event_del+0x20/0x2c
event_sched_out+0x214/0x6f0
group_sched_out+0xd0/0x270
ctx_sched_out+0x2ec/0x518
__perf_event_task_sched_out+0x4fc/0xe6c
__schedule+0x1094/0x16a0
preempt_schedule_irq+0x88/0x170
arm64_preempt_schedule_irq+0xf0/0x18c
el1_irq+0xe8/0x180
perf_event_exec+0x4d8/0x56c
setup_new_exec+0x204/0x400
load_elf_binary+0x72c/0x18c0
search_binary_handler+0x13c/0x420
load_script+0x500/0x6c4
search_binary_handler+0x13c/0x420
exec_binprm+0x118/0x654
__do_execve_file+0x77c/0xba4
__arm64_compat_sys_execve+0x98/0xac
el0_svc_common+0x1f8/0x5e0
el0_svc_compat_handler+0x84/0xb0
el0_svc_compat+0x10/0x50

The buggy address belongs to the variable:
barrier_pkt+0x10/0x40

Memory state around the buggy address:
ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03
^
ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa
ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/hwtracing/coresight/coresight-tmc-etf.c"
    ],
    "versions": [
      {
        "version": "0c3fc4d5fa26",
        "lessThan": "04bd77ef4f4d",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3fc4d5fa26",
        "lessThan": "ef0a06acc6b1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3fc4d5fa26",
        "lessThan": "35c1c4bd2d59",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3fc4d5fa26",
        "lessThan": "733d4d95c010",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3fc4d5fa26",
        "lessThan": "0115687be7b1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0c3fc4d5fa26",
        "lessThan": "5fae8a946ac2",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/hwtracing/coresight/coresight-tmc-etf.c"
    ],
    "versions": [
      {
        "version": "4.14",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.14",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.198",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.133",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.51",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.12.18",
        "lessThanOrEqual": "5.12.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.13.3",
        "lessThanOrEqual": "5.13.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.14",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

debiancve 1
nvd 1
cve 1
redhatcve 1
ubuntucve 1
cvelist 1
debiancve
debiancve
CVE-2021-47346
2024-05-21 15:15:21
nvd
nvd
CVE-2021-47346
2024-05-21 15:15:21
cve
cve
CVE-2021-47346
2024-05-21 15:15:21
redhatcve
redhatcve
CVE-2021-47346
2024-05-22 11:26:01
ubuntucve
ubuntucve
CVE-2021-47346
2024-05-21 00:00:00
cvelist
cvelist
CVE-2021-47346 coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()
2024-05-21 14:35:52

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.3%

JSON
Related for VULNRICHMENT:CVE-2021-47346
debiancve1nvd1cve1redhatcve1ubuntucve1cvelist1