Bug 2024989 (CVE-2021-43975) - CVE-2021-43975 kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait() in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
Summary: CVE-2021-43975 kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait() in d...
Keywords:
Status: NEW
Alias: CVE-2021-43975
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2025706 2025707 2025708 2024990 2027742
Blocks: 2024991
TreeView+ depends on / blocked
 
Reported: 2021-11-19 16:39 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-07-16 03:22 UTC (History)
43 users (show)

Fixed In Version: Linux kernel 5.16-rc2
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in the Linux kernel’s Aquantia AQtion Ethernet card Atlantic driver in the way the ethernet card provides malicious input to the driver. This flaw allows a local user to emulate the networking device and crash the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-11-19 16:39:30 UTC
In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.

Reference and upstream patches:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=b922f622592af76b57cbc566eaeccda0b31a3496
https://lore.kernel.org/netdev/163698540868.13805.17800408021782408762.git-patchwork-notify@kernel.org/T/

Comment 1 Guilherme de Almeida Suckevicz 2021-11-19 16:41:01 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2024990]


Note You need to log in before you can comment on or make changes to this bug.