{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47288","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-21T13:27:52.129Z","datePublished":"2024-05-21T14:34:51.776Z","dateUpdated":"2025-05-04T07:07:56.165Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:07:56.165Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()\n\nFix an 11-year old bug in ngene_command_config_free_buf() while\naddressing the following warnings caught with -Warray-bounds:\n\narch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\narch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\n\nThe problem is that the original code is trying to copy 6 bytes of\ndata into a one-byte size member _config_ of the wrong structue\nFW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a\nlegitimate compiler warning because memcpy() overruns the length\nof &com.cmd.ConfigureBuffers.config. It seems that the right\nstructure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains\n6 more members apart from the header _hdr_. Also, the name of\nthe function ngene_command_config_free_buf() suggests that the actual\nintention is to ConfigureFreeBuffers, instead of ConfigureBuffers\n(which takes place in the function ngene_command_config_buf(), above).\n\nFix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS\ninto new struct config, and use &com.cmd.ConfigureFreeBuffers.config as\nthe destination address, instead of &com.cmd.ConfigureBuffers.config,\nwhen calling memcpy().\n\nThis also helps with the ongoing efforts to globally enable\n-Warray-bounds and get us closer to being able to tighten the\nFORTIFY_SOURCE routines on memcpy()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/media/pci/ngene/ngene-core.c","drivers/media/pci/ngene/ngene.h"],"versions":[{"version":"dae52d009fc950b5c209260d50fcc000f5becd3c","lessThan":"4487b968e5eacd02c493303dc2b61150bb7fe4b2","status":"affected","versionType":"git"},{"version":"dae52d009fc950b5c209260d50fcc000f5becd3c","lessThan":"c6ddeb63dd543b5474b0217c4e47538b7ffd7686","status":"affected","versionType":"git"},{"version":"dae52d009fc950b5c209260d50fcc000f5becd3c","lessThan":"e818f2ff648581a6c553ae2bebc5dcef9a8bb90c","status":"affected","versionType":"git"},{"version":"dae52d009fc950b5c209260d50fcc000f5becd3c","lessThan":"ec731c6ef564ee6fc101fc5d73e3a3a953d09a00","status":"affected","versionType":"git"},{"version":"dae52d009fc950b5c209260d50fcc000f5becd3c","lessThan":"e617fa62f6cf859a7b042cdd6c73af905ff8fca3","status":"affected","versionType":"git"},{"version":"dae52d009fc950b5c209260d50fcc000f5becd3c","lessThan":"e991457afdcb5f4dbc5bc9d79eaf775be33e7092","status":"affected","versionType":"git"},{"version":"dae52d009fc950b5c209260d50fcc000f5becd3c","lessThan":"b9a178f189bb6d75293573e181928735f5e3e070","status":"affected","versionType":"git"},{"version":"dae52d009fc950b5c209260d50fcc000f5becd3c","lessThan":"8d4abca95ecc82fc8c41912fa0085281f19cc29f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/media/pci/ngene/ngene-core.c","drivers/media/pci/ngene/ngene.h"],"versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","status":"unaffected","versionType":"semver"},{"version":"4.4.277","lessThanOrEqual":"4.4.*","status":"unaffected","versionType":"semver"},{"version":"4.9.277","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.241","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.199","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.136","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.54","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.13.6","lessThanOrEqual":"5.13.*","status":"unaffected","versionType":"semver"},{"version":"5.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"4.4.277"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"4.9.277"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"4.14.241"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"4.19.199"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.4.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.10.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.13.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4487b968e5eacd02c493303dc2b61150bb7fe4b2"},{"url":"https://git.kernel.org/stable/c/c6ddeb63dd543b5474b0217c4e47538b7ffd7686"},{"url":"https://git.kernel.org/stable/c/e818f2ff648581a6c553ae2bebc5dcef9a8bb90c"},{"url":"https://git.kernel.org/stable/c/ec731c6ef564ee6fc101fc5d73e3a3a953d09a00"},{"url":"https://git.kernel.org/stable/c/e617fa62f6cf859a7b042cdd6c73af905ff8fca3"},{"url":"https://git.kernel.org/stable/c/e991457afdcb5f4dbc5bc9d79eaf775be33e7092"},{"url":"https://git.kernel.org/stable/c/b9a178f189bb6d75293573e181928735f5e3e070"},{"url":"https://git.kernel.org/stable/c/8d4abca95ecc82fc8c41912fa0085281f19cc29f"}],"title":"media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-47288","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-05-21T18:48:38.044089Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:15:21.595Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:32:08.191Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/4487b968e5eacd02c493303dc2b61150bb7fe4b2","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/c6ddeb63dd543b5474b0217c4e47538b7ffd7686","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e818f2ff648581a6c553ae2bebc5dcef9a8bb90c","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/ec731c6ef564ee6fc101fc5d73e3a3a953d09a00","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e617fa62f6cf859a7b042cdd6c73af905ff8fca3","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e991457afdcb5f4dbc5bc9d79eaf775be33e7092","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b9a178f189bb6d75293573e181928735f5e3e070","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8d4abca95ecc82fc8c41912fa0085281f19cc29f","tags":["x_transferred"]}]}]}}