Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
comedi: me4000: Fix potential overrun of firmware buffer
me4000_xilinx_download() loads the firmware that was requested by
request_firmware(). It is possible for it to overrun the source
buffer because it blindly trusts the file format. It reads a data
stream length from the first 4 bytes into variable file_length and
reads the data stream contents of length file_length from offset 16
onwards.
Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream. On failure, log an error and
return -EINVAL.
Note: The firmware loading was totally broken before commit ac584af59945 (“staging: comedi: me4000: fix firmware downloading”), but that is the most sensible target for this fix.
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , Oracle Linux 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
- Affected packages:
- kernel @ 4.18.0 (+9 more)
In the Linux kernel, the following vulnerability has been resolved:
comedi: me4000: Fix potential overrun of firmware buffer
me4000_xilinx_download() loads the firmware that was requested by
request_firmware(). It is possible for it to overrun the source
buffer because it blindly trusts the file format. It reads a data
stream length from the first 4 bytes into variable file_length and
reads the data stream contents of length file_length from offset 16
onwards.
Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream. On failure, log an error and
return -EINVAL.
Note: The firmware loading was totally broken before commit ac584af59945 (“staging: comedi: me4000: fix firmware downloading”), but that is the most sensible target for this fix.