Bug 2123309 (CVE-2022-3077) - CVE-2022-3077 kernel: i2c: unbounded length leads to buffer overflow in ismt_access()
Summary: CVE-2022-3077 kernel: i2c: unbounded length leads to buffer overflow in ismt_...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3077
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2125581 2125582 2127532 2134887 2135436
Blocks: 2093295
TreeView+ depends on / blocked
 
Reported: 2022-09-01 11:10 UTC by Mauro Matteo Cascella
Modified: 2023-05-12 20:10 UTC (History)
52 users (show)

Fixed In Version: kernel 5.19
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow vulnerability was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. In particular, the userspace controllable "data->block[0]" variable was not capped to a number between 0-255 and then used as the size of a memcpy, thus possibly writing beyond the end of dma_buffer. This flaw could allow a privileged local user to crash the system.
Clone Of:
Environment:
Last Closed: 2023-01-25 10:52:14 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0300 0 None None None 2023-01-23 15:17:09 UTC
Red Hat Product Errata RHSA-2023:0334 0 None None None 2023-01-23 15:21:32 UTC

Description Mauro Matteo Cascella 2022-09-01 11:10:59 UTC 
A memory corruption flaw was found in the Linux kernel's I2C driver. The userspace-controllable "data->block[0]" variable was not capped to a number between 0-255 and used as the size of a memcpy, thus possibly writing beyond the end of dma_buffer[] and resulting in a buffer overflow condition.

Upstream fix:
https://github.com/torvalds/linux/commit/690b2549b19563ec5ad53e5c82f6a944d910086e
Comment 3 Mauro Matteo Cascella 2022-09-01 15:02:26 UTC 

*** This bug has been marked as a duplicate of bug 2119048 ***
Comment 4 Salvatore Bonaccorso 2022-09-02 05:02:30 UTC 
As this is a duplicate of CVE-2022-2873, can you remove the "Bugzilla Alias" to CVE-2022-3077?
Comment 5 Mauro Matteo Cascella 2022-09-02 08:33:22 UTC 
(In reply to Salvatore Bonaccorso from comment #4)
> As this is a duplicate of CVE-2022-2873, can you remove the "Bugzilla Alias"
> to CVE-2022-3077?

Done!
Comment 7 Mauro Matteo Cascella 2022-09-09 11:07:53 UTC 
In reply to comment #4:
> As this is a duplicate of CVE-2022-2873, can you remove the "Bugzilla Alias"
> to CVE-2022-3077?

Salvatore, please note that this turned out to be a different (yet quite similar) issue. CVE-2022-2873 is about I2C_SMBUS_BLOCK_DATA, while the bug here is in the I2C_SMBUS_BLOCK_PROC_CALL case. The fix for CVE-2022-2873 has not been merged upstream AFAICS. We are going to re-use CVE-2022-3077 to track this one. Thanks.
Comment 9 Salvatore Bonaccorso 2022-09-09 20:59:19 UTC 
(In reply to Mauro Matteo Cascella from comment #7)
> In reply to comment #4:
> > As this is a duplicate of CVE-2022-2873, can you remove the "Bugzilla Alias"
> > to CVE-2022-3077?
> 
> Salvatore, please note that this turned out to be a different (yet quite
> similar) issue. CVE-2022-2873 is about I2C_SMBUS_BLOCK_DATA, while the bug
> here is in the I2C_SMBUS_BLOCK_PROC_CALL case. The fix for CVE-2022-2873 has
> not been merged upstream AFAICS. We are going to re-use CVE-2022-3077 to
> track this one. Thanks.

Mauro, thanks for clarifying it.
Comment 19 errata-xmlrpc 2023-01-23 15:17:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0300 https://access.redhat.com/errata/RHSA-2023:0300
Comment 20 errata-xmlrpc 2023-01-23 15:21:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0334 https://access.redhat.com/errata/RHSA-2023:0334
Comment 21 Product Security DevOps Team 2023-01-25 10:52:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3077
Note You need to log in before you can comment on or make changes to this bug.