CVE-2021-46980

{"id": "CVE-2021-46980", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2024-02-28T09:15:37.273", "references": [{"url": "https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1f4642b72be79757f050924a9b9673b6a02034bc", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/5e9c6f58b01e6fdfbc740390c01f542a35c97e57", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/a453bfd7ef15fd9d524004d3ca7b05353a302911", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/e5366bea0277425e1868ba20eeb27c879d5a6e2d", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Retrieve all the PDOs instead of just the first 4\n\ncommit 4dbc6a4ef06d (\"usb: typec: ucsi: save power data objects\nin PD mode\") introduced retrieval of the PDOs when connected to a\nPD-capable source. But only the first 4 PDOs are received since\nthat is the maximum number that can be fetched at a time given the\nMESSAGE_IN length limitation (16 bytes). However, as per the PD spec\na connected source may advertise up to a maximum of 7 PDOs.\n\nIf such a source is connected it's possible the PPM could have\nnegotiated a power contract with one of the PDOs at index greater\nthan 4, and would be reflected in the request data object's (RDO)\nobject position field. This would result in an out-of-bounds access\nwhen the rdo_index() is used to index into the src_pdos array in\nucsi_psy_get_voltage_now().\n\nWith the help of the UBSAN -fsanitize=array-bounds checker enabled\nthis exact issue is revealed when connecting to a PD source adapter\nthat advertise 5 PDOs and the PPM enters a contract having selected\nthe 5th one.\n\n[ 151.545106][ T70] Unexpected kernel BRK exception at EL1\n[ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP\n...\n[ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c\n[ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328\n...\n[ 151.545542][ T70] Call trace:\n[ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c\n[ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0\n[ 151.545550][ T70] dev_uevent+0x200/0x384\n[ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8\n[ 151.545557][ T70] power_supply_changed_work+0x174/0x31c\n[ 151.545562][ T70] process_one_work+0x244/0x6f0\n[ 151.545564][ T70] worker_thread+0x3e0/0xa64\n\nWe can resolve this by instead retrieving and storing up to the\nmaximum of 7 PDOs in the con->src_pdos array. This would involve\ntwo calls to the GET_PDOS command."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: typec: ucsi: recupera todos los PDO en lugar de solo los primeros 4 commits 4dbc6a4ef06d (\"usb: typec: ucsi: guarda objetos de datos de energ\u00eda en modo PD\") introdujo la recuperaci\u00f3n de los PDO cuando se conectan a una fuente compatible con PD. Pero solo se reciben los primeros 4 PDO, ya que ese es el n\u00famero m\u00e1ximo que se puede recuperar a la vez dada la limitaci\u00f3n de longitud de MESSAGE_IN (16 bytes). Sin embargo, seg\u00fan las especificaciones de PD, una fuente conectada puede anunciar hasta un m\u00e1ximo de 7 PDO. Si dicha fuente est\u00e1 conectada, es posible que el PPM haya negociado un contrato de energ\u00eda con uno de los PDO con un \u00edndice mayor que 4, y se reflejar\u00eda en el campo de posici\u00f3n del objeto del objeto de datos de solicitud (RDO). Esto dar\u00eda como resultado un acceso fuera de los l\u00edmites cuando se usa rdo_index() para indexar en la matriz src_pdos en ucsi_psy_get_voltage_now(). Con la ayuda del verificador UBSAN -fsanitize=array-bounds habilitado, este problema exacto se revela cuando se conecta a un adaptador de fuente PD que anuncia 5 PDO y el PPM firma un contrato despu\u00e9s de seleccionar el quinto. [ 151.545106][ T70] Excepci\u00f3n inesperada de BRK del kernel en EL1 [ 151.545112][ T70] Error interno: controlador BRK: f2005512 [#1] SMP PREEMPT ... [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507 ] [ T70] lr : power_supply_show_property+0xc0/0x328 ... [ 151.545542][ T70] Rastreo de llamadas: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x 2f0 [151.545550][T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] Process_one_work+0x244/0 x6f0 [ 151.545564][ T70] work_thread+0x3e0/0xa64 Nosotros Puede resolver esto recuperando y almacenando hasta un m\u00e1ximo de 7 PDO en la matriz con->src_pdos. Esto implicar\u00eda dos llamadas al comando GET_PDOS."}], "lastModified": "2024-12-31T16:06:11.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48EEEAD2-D08A-422C-8830-6CCF86E89E64", "versionEndExcluding": "5.10.38", "versionStartIncluding": "5.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83B53E9A-F426-4C03-9A5F-A931FF79827E", "versionEndExcluding": "5.11.22", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0274929A-B36C-4F4C-AB22-30A0DD6B995B", "versionEndExcluding": "5.12.5", "versionStartIncluding": "5.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}