Bug 2013180 (CVE-2021-43389) - CVE-2021-43389 kernel: an array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c
Summary: CVE-2021-43389 kernel: an array-index-out-bounds in detach_capi_ctr in driver...
Keywords:
Status: NEW
Alias: CVE-2021-43389
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2016620 (view as bug list)
Depends On: 2016490 2016491 2016492 2013181
Blocks: 2013182
TreeView+ depends on / blocked
 
Reported: 2021-10-12 10:24 UTC by Marian Rehak
Modified: 2021-11-11 14:02 UTC (History)
50 users (show)

Fixed In Version: Linux kernel 5.15-rc6
Doc Type: If docs needed, set a value
Doc Text:
An improper validation of an array index and out of bounds memory read in the Linux kernel's Integrated Services Digital Network (ISDN) functionality was found in the way users call ioctl CMTPCONNADD. A local user could use this flaw to crash the system or starve the resources causing denial of service.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2021-10-12 10:24:16 UTC
There is an array-index-out-bounds bug in detach_capi_ctr in drivers/isdn/capi/kcapi.c. During this process, the kernel thread would call detach_capi_ctr() to detach a register controller. if the controller was not attached yet, detach_capi_ctr() would trigger an array-index-out-bounds bug.

Reference:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f3e2e97c003f80c4b087092b225c8787ff91e4d
https://lore.kernel.org/netdev/CAFcO6XOvGQrRTaTkaJ0p3zR7y7nrAWD79r48=L_BbOyrK9X-vA@mail.gmail.com/

Comment 1 Marian Rehak 2021-10-12 10:24:44 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2013181]

Comment 2 Justin M. Forbes 2021-10-12 17:01:59 UTC
For Fedora:
# CONFIG_ISDN is not set

Comment 7 Wade Mealing 2021-10-26 05:29:00 UTC
*** Bug 2016620 has been marked as a duplicate of this bug. ***

Comment 9 Salvatore Bonaccorso 2021-11-04 20:45:58 UTC
CVE-2021-3896 seems to have been assigned by Red Hat, but was not yet published to MITRE is this right? I'm asking because there is now as well https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43389 . I contacted MITRE over the cveform to see which one should be retained, my understanding would be that both CVEs are for the same issue.

Comment 10 Salvatore Bonaccorso 2021-11-04 21:10:25 UTC
Got a reply from MITRE already, so 

https://www.cve.org/CVERecord?id=CVE-2021-3896
https://www.cve.org/CVERecord?id=CVE-2021-43389

making CVE-2021-43389 the valid CVE and CVE-2021-3896 is REJECTED.

Comment 11 Salvatore Bonaccorso 2021-11-05 20:04:45 UTC
As the CVE CVE-2021-3896 is rejected, can you please as well update the Bugzilla Alias for this bug?

Comment 12 Rohit Keshri 2021-11-06 17:12:52 UTC
Hello, thank you for informing us, we have made the changes to our Bugzilla.


Note You need to log in before you can comment on or make changes to this bug.