CVE-2021-47282
"BCM2835 SPI Driver Out-of-Bounds Write Vulnerability"
Description
In the Linux kernel, the following vulnerability has been resolved: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for ->prepare_message()") limited the number of slaves to 3 at compile-time. The limitation was necessitated by a statically-sized array prepare_cs[] in the driver private data which contains a per-slave register value. The commit sought to enforce the limitation at run-time by setting the controller's num_chipselect to 3: Slaves with a higher chipselect are rejected by spi_add_device(). However the commit neglected that num_chipselect only limits the number of *native* chipselects. If GPIO chipselects are specified in the device tree for more than 3 slaves, num_chipselect is silently raised by of_spi_get_gpio_numbers() and the result are out-of-bounds accesses to the statically-sized array prepare_cs[]. As a bandaid fix which is backportable to stable, raise the number of allowed slaves to 24 (which "ought to be enough for anybody"), enforce the limitation on slave ->setup and revert num_chipselect to 3 (which is the number of native chipselects supported by the controller). An upcoming for-next commit will allow an arbitrary number of slaves.
INFO
Published Date :
May 21, 2024, 3:15 p.m.
Last Modified :
April 30, 2025, 2:30 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
5.9
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2021-47282.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2021-47282 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2021-47282 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Apr. 30, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-787 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.12.11 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4 up to (excluding) 5.4.126 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.44 Added Reference Type CVE: https://git.kernel.org/stable/c/01415ff85a24308059e06ca3e97fd7bf75648690 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/01415ff85a24308059e06ca3e97fd7bf75648690 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/13817d466eb8713a1ffd254f537402f091d48444 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/13817d466eb8713a1ffd254f537402f091d48444 Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/82a8ffba54d31e97582051cb56ba1f988018681e Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/82a8ffba54d31e97582051cb56ba1f988018681e Types: Patch Added Reference Type CVE: https://git.kernel.org/stable/c/b5502580cf958b094f3b69dfe4eece90eae01fbc Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/b5502580cf958b094f3b69dfe4eece90eae01fbc Types: Patch -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://git.kernel.org/stable/c/01415ff85a24308059e06ca3e97fd7bf75648690 Added Reference https://git.kernel.org/stable/c/13817d466eb8713a1ffd254f537402f091d48444 Added Reference https://git.kernel.org/stable/c/82a8ffba54d31e97582051cb56ba1f988018681e Added Reference https://git.kernel.org/stable/c/b5502580cf958b094f3b69dfe4eece90eae01fbc -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 28, 2024
Action Type Old Value New Value -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 21, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for ->prepare_message()") limited the number of slaves to 3 at compile-time. The limitation was necessitated by a statically-sized array prepare_cs[] in the driver private data which contains a per-slave register value. The commit sought to enforce the limitation at run-time by setting the controller's num_chipselect to 3: Slaves with a higher chipselect are rejected by spi_add_device(). However the commit neglected that num_chipselect only limits the number of *native* chipselects. If GPIO chipselects are specified in the device tree for more than 3 slaves, num_chipselect is silently raised by of_spi_get_gpio_numbers() and the result are out-of-bounds accesses to the statically-sized array prepare_cs[]. As a bandaid fix which is backportable to stable, raise the number of allowed slaves to 24 (which "ought to be enough for anybody"), enforce the limitation on slave ->setup and revert num_chipselect to 3 (which is the number of native chipselects supported by the controller). An upcoming for-next commit will allow an arbitrary number of slaves. Added Reference kernel.org https://git.kernel.org/stable/c/b5502580cf958b094f3b69dfe4eece90eae01fbc [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/82a8ffba54d31e97582051cb56ba1f988018681e [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/01415ff85a24308059e06ca3e97fd7bf75648690 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/13817d466eb8713a1ffd254f537402f091d48444 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2021-47282 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2021-47282
weaknesses.