BF Specification of CVE-2021-21834

Missing verification on the range for the user-controlled 'nb_entries' ((u64)ptr->nb_entries * sizeof(u64) must not be greater than a 32-bit int) results in an inconsistent value, which becomes a wrong argument for the multiplication ‘*’ operator in 'ptr->nb_entries * sizeof(u64)' . The result wraps around (integer overflow on a 32-bit platform) and becomes a small number used to allocate not enough memory for the 'ptr->offsets[entries]' buffer, allowing a pointer reposition over its bounds, which, when used to write leads to a heap buffer overflow. If exploited, this can lead to denial of service or arbitrary (remote) code execution.



Bug ReportCode with BugCode with FixNVD Entry
DVRData are verified (semantics check) or corrected (assign, remove) improperly.
TCMAn arithmetic expression (over numbers, strings, or pointers) is calculated improperly, or a boolean condition is evaluated improperly.
MMNAn object is allocated, deallocated, or resized improperly.
MADThe pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MUSAn object is initialized, read, written, or cleared improperly.
VerifyCheck data semantics (proper value/meaning) in order to accept (and possibly correct) or reject it.
CalculateFind the result of a numeric, pointer, or string operation.
AllocateReserve space in memory for an object; defines its initial boundaries and size.
RepositionChange the pointer to another position inside its object.
WriteChange the data value of an object to another meaningful value.
Code Defect BugThe operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability.
   Missing CodeThe entire operation implementation or a part of its specification is absent.
Data Error/FaultThe object data has harmed semantics or inconsistent or wrong value
   Inconsistent ValueData value does not correspond to the value of a related data (e.g., inconstancy between the value of a size variable and the actual buffer size).
   Wrong ArgumentInaccurate input data value, i.e., non-verified for harmed semantics.
   Wrap AroundA moved around-the-clock value over its data type upper or lower range, as it exceeds that range. (Integer Over-/Under-flow is a wrapped-around the upper/lower range integer value; may become very small/large and change to the opposite sign.
   Wrong SizeThe value used as size does not match the actual size of the object.
Size Error/FaultThe object size in use is wrong.
   Not Enough MemoryThe allocated memory is too little for the data it should store.
Address Error/FaultThe object address in use is wrong.
   Over Bounds PointerPoints above the upper boundary of its object.
Memory Corruption/Disclosure Final ErrorAn exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Buffer OverflowWrites above the upper bound of an object -- aka Buffer Over-Write.
Operation AttributeDefinition
MechanismShows how the buggy/faulty operation code is performed.
   RangeChecking data are within a (min, max) interval.
   OperatorA function with a symbolic name that implements a mathematical, relational or logical operation.
   ExplicitThe operation is performed by a function/method call.
   SequentialThe operation is performed after iterating over the object elements.
Source CodeShows where the buggy/faulty operation code is in the program -- in what kind of software.
   Third-PartyThe operation is in a third-party software.
Execution SpaceShows where the buggy/faulty operation code is running or with what privilege level).
   LocalThe bugged code runs in an environment with access control policy with limited (local user) permission.
   UserlandThe bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
Operand AttributeDefinition
Data StateShows where the data come from.
   StoredThe data are from a permanent storage (e.g., file, database on a storage device).
Name StateShows at what stage the entity name is.
   BoundThe name is linked to a declared (or inferred) data type, a defined object's data, or a called function implementation.
Data KindShows what the data value is.
   NumericA number -- a sequence of digits.
Type KindShows what the data type composition is.
   StructureA composite data type - e.g., array, list, map, class. A structured data type is built from other data types and has primitive or structured members.
Address StateShows where the address is in the memory layout.
   HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).
Size KindShows what the limit for traversal of the object is.
   UsedA supplied size for an object.