Bug 1974079 (CVE-2021-3612) - CVE-2021-3612 kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
Summary: CVE-2021-3612 kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3612
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1974723 1974724 1974726 1974727 1974080 1974087 1974088 1974089 1974090 1974091 1974102
Blocks: 1966365 1974465
TreeView+ depends on / blocked
 
Reported: 2021-06-20 12:44 UTC by Alex
Modified: 2022-06-21 21:58 UTC (History)
42 users (show)

Fixed In Version: kernel 5.9-rc1
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory write flaw was found in the Linux kernel’s joystick devices subsystem, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2022-05-11 07:15:33 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2229 0 None None None 2022-05-12 11:26:15 UTC
Red Hat Product Errata RHBA-2022:4630 0 None None None 2022-05-18 11:46:03 UTC
Red Hat Product Errata RHBA-2022:4693 0 None None None 2022-05-19 05:10:27 UTC
Red Hat Product Errata RHBA-2022:4969 0 None None None 2022-06-08 18:39:33 UTC
Red Hat Product Errata RHBA-2022:5088 0 None None None 2022-06-16 11:22:49 UTC
Red Hat Product Errata RHSA-2022:1975 0 None None None 2022-05-10 14:39:06 UTC
Red Hat Product Errata RHSA-2022:1988 0 None None None 2022-05-10 14:44:48 UTC

Description Alex 2021-06-20 12:44:00 UTC
If using ioctl JSIOCSBTNMAP (ex. for device /dev/input/js0) with incorrect input data (ex. buffer filled with values 0xff), then Linux kernel module crash (panic) happens with memory writing out of bounds.
Bug exists in kernels after patch 182d679b2298 (ref. https://lore.kernel.org/linux-input/20210219083215.GS2087@kadam/ , so starting from upstream v5.12-rc1 ). Before this patch (before v5.12-rc1 ), bug existed too, but there was only possibility of reading out of stack that was less dangerous.

Comment 1 Alex 2021-06-20 12:44:57 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1974080]

Comment 2 Alex 2021-06-20 13:23:58 UTC
Since the patch
https://lore.kernel.org/linux-input/20210219083215.GS2087@kadam/
not applied yet for any of the Red Hat Enterprise Linux, for the all versions of Red Hat Enterprise Linux only read of memory out of bounds possible (and both in most cases it requires some privileges, because module CONFIG_INPUT_JOYDEV not being used by default, so no any devices like /dev/input/js* and as result not possible to trigger the bug before enabling the device driver).

Comment 11 errata-xmlrpc 2022-05-10 14:39:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975

Comment 12 errata-xmlrpc 2022-05-10 14:44:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988

Comment 13 Product Security DevOps Team 2022-05-11 07:15:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3612


Note You need to log in before you can comment on or make changes to this bug.