CVE-2021-4439
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: isdn: cpai: check ctr->cnr to avoid array index out of bound The cmtp_add_connection() would add a cmtp session to a controller and run a kernel thread to process cmtp. __module_get(THIS_MODULE); session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", session->num); During this process, the kernel thread would call detach_capi_ctr() to detach a register controller. if the controller was not attached yet, detach_capi_ctr() would trigger an array-index-out-bounds bug. [ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in drivers/isdn/capi/kcapi.c:483:21 [ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' [ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted 5.15.0-rc2+ #8 [ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [ 46.870107][ T6479] Call Trace: [ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d [ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 [ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 [ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 [ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 [ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 [ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 [ 46.874256][ T6479] kthread+0x147/0x170 [ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 [ 46.875248][ T6479] ret_from_fork+0x1f/0x30 [ 46.875773][ T6479]
CVSS Metrics
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.02%• Percentile: 5%
Techniques & Countermeasures
- CWE-129•Improper Validation of Array Index
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Affected Systems
- linux•linux
≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < e8b8de17e164c9f1b7777f1c6f99d05539000036 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 24219a977bfe3d658687e45615c70998acdbac5a | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 9b6b2db77bc3121fe435f1d4b56e34de443bec75 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 7d91adc0ccb060ce564103315189466eb822cc6a | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 285e9210b1fab96a11c0be3ed5cea9dd48b6ac54 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 7f221ccbee4ec662e2292d490a43ce6c314c4594 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < cc20226e218a2375d50dd9ac14fb4121b43375ff | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 1f3e2e97c003f80c4b087092b225c8787ff91e4d | 2.6.12
- linux•linux_kernel
< 4.4.290 | ≥ 4.5, < 4.9.288 | ≥ 4.10, < 4.14.253 | ≥ 4.15, < 4.19.214 | ≥ 4.20, < 5.4.156 | ≥ 5.5, < 5.10.76 | ≥ 5.11, < 5.14.15 | 5.15:rc1 | 5.15:rc2 | 5.15:rc3 | 5.15:rc4 | 5.15:rc5
References (8)
- https://git.kernel.org/stable/c/e8b8de17e164c9f1b7777f1c6f99d05539000036
- https://git.kernel.org/stable/c/24219a977bfe3d658687e45615c70998acdbac5a
- https://git.kernel.org/stable/c/9b6b2db77bc3121fe435f1d4b56e34de443bec75
- https://git.kernel.org/stable/c/7d91adc0ccb060ce564103315189466eb822cc6a
- https://git.kernel.org/stable/c/285e9210b1fab96a11c0be3ed5cea9dd48b6ac54
- https://git.kernel.org/stable/c/7f221ccbee4ec662e2292d490a43ce6c314c4594
- https://git.kernel.org/stable/c/cc20226e218a2375d50dd9ac14fb4121b43375ff
- https://git.kernel.org/stable/c/1f3e2e97c003f80c4b087092b225c8787ff91e4d