CVE-2021-47475 in Linuxinfo

Summary

by MITRE • 05/22/2024

In the Linux kernel, the following vulnerability has been resolved:

comedi: vmk80xx: fix transfer-buffer overflows

The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes.

Commit e1f13c879a7c ("staging: comedi: check validity of wMaxPacketSize of usb endpoints found") inadvertently fixed NULL-pointer dereferences when accessing the transfer buffers in case a malicious device has a zero wMaxPacketSize.

Make sure to allocate buffers large enough to handle also the other accesses that are done without a size check (e.g. byte 18 in vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond the buffers, for example, when doing descriptor fuzzing.

The original driver was for a low-speed device with 8-byte buffers. Support was later added for a device that uses bulk transfers and is presumably a full-speed device with a maximum 64-byte wMaxPacketSize.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/25/2025

The vulnerability described in CVE-2021-47475 affects the Linux kernel's comedi subsystem, specifically the vmk80xx driver used for USB-based data acquisition devices. This issue represents a classic buffer overflow vulnerability that stems from inadequate input validation and memory allocation practices within the USB endpoint handling code. The comedi framework provides a standardized interface for accessing various types of data acquisition hardware, and the vmk80xx driver specifically supports devices manufactured by VMK Electronics, including models like the VMK8061. The vulnerability manifests when the driver processes USB transfer buffers without proper size validation, creating opportunities for memory corruption that could be exploited by malicious USB devices or through descriptor fuzzing techniques.

The technical flaw originates from the driver's handling of USB endpoint maximum packet sizes, which are defined in the USB device descriptors. The original implementation assumed a fixed 8-byte buffer size suitable for low-speed USB devices, but later support was added for full-speed devices with maximum packet sizes of up to 64 bytes. However, the driver failed to implement proper buffer size validation when allocating memory for USB transfers, creating a scenario where the code could attempt to write data beyond the allocated buffer boundaries. This issue is particularly concerning because it occurs in the kernel space where memory corruption can lead to privilege escalation or system instability. The vulnerability is classified under CWE-121 as a stack-based buffer overflow, though it manifests more accurately as a heap-based overflow due to dynamic allocation patterns in the USB transfer handling code.

The operational impact of this vulnerability extends beyond simple memory corruption, as it creates potential attack vectors for malicious USB devices or attackers performing USB descriptor fuzzing. When a device presents invalid or malicious USB descriptors with zero or unusually large wMaxPacketSize values, the driver's lack of proper validation can lead to buffer overflows that may result in kernel crashes, privilege escalation, or data corruption. The vulnerability is particularly dangerous in environments where USB devices are frequently connected and where the system does not implement proper USB device validation or sandboxing. According to ATT&CK framework, this vulnerability maps to T1059.007 (Command and Scripting Interpreter: PowerShell) and T1203 (Exploitation for Client Execution) as potential attack vectors, though the actual exploitation would likely occur through USB device manipulation rather than traditional network-based attacks. The specific function vmk80xx_cnt_insn_read() with its access to byte 18 of the device descriptor demonstrates how seemingly benign operations can trigger buffer overflows when device descriptors are not properly validated.

The fix implemented in commit e1f13c879a7c addresses the vulnerability by introducing proper validation of the wMaxPacketSize values from USB endpoints, preventing NULL pointer dereferences that could occur with zero-sized endpoints. However, the resolution requires additional checks to ensure that transfer buffers are allocated with sufficient size to handle all possible access patterns within the driver code, particularly those that access memory locations beyond the typical endpoint size boundaries. This fix aligns with security best practices outlined in the Linux kernel security documentation and follows the principle of least privilege by ensuring that all memory allocations are properly bounded and validated. The mitigation strategy involves verifying that all USB endpoint sizes are within reasonable bounds and that the driver allocates sufficient buffer space to accommodate the maximum possible data transfers, including those that occur in edge cases such as descriptor fuzzing scenarios. Organizations should ensure their systems are updated with the patched kernel version and consider implementing USB device whitelisting or blacklisting policies to further reduce the attack surface. The vulnerability highlights the importance of input validation in kernel drivers and demonstrates how seemingly small oversights in USB device handling can create significant security risks that could be exploited by attackers with physical access to USB ports or those capable of manipulating USB descriptors through specialized tools.

Reservation

05/22/2024

Disclosure

05/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00259

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!