If using ioctl JSIOCSBTNMAP (ex. for device /dev/input/js0) with incorrect input data (ex. buffer filled with values 0xff), then Linux kernel module crash (panic) happens with memory writing out of bounds. Bug exists in kernels after patch 182d679b2298 (ref. https://lore.kernel.org/linux-input/20210219083215.GS2087@kadam/ , so starting from upstream v5.12-rc1 ). Before this patch (before v5.12-rc1 ), bug existed too, but there was only possibility of reading out of stack that was less dangerous.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1974080]
Since the patch https://lore.kernel.org/linux-input/20210219083215.GS2087@kadam/ not applied yet for any of the Red Hat Enterprise Linux, for the all versions of Red Hat Enterprise Linux only read of memory out of bounds possible (and both in most cases it requires some privileges, because module CONFIG_INPUT_JOYDEV not being used by default, so no any devices like /dev/input/js* and as result not possible to trigger the bug before enabling the device driver).
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3612