CVE-2021-42252: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability was discovered in the Linux kernel's Aspeed LPC control interface (CVE-2021-42252) affecting versions before 5.14.6. The issue was found in the aspeedlpcctrl_mmap function within drivers/soc/aspeed/aspeed-lpc-ctrl.c. The vulnerability was disclosed on October 11, 2021, and affects systems using the Aspeed Low Pin Count (LPC) Bus Controller implementation (NVD, Ubuntu).

The vulnerability stems from improper boundary checks in the aspeedlpcctrlmmap function. The issue occurs because the check mixes pages (vmpgoff) with bytes (vmstart, vmend) on one side of the comparison and uses resource address instead of resource size on the other side. This implementation error allows for incorrect memory size comparisons (Kernel Commit). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could allow local attackers with access to the Aspeed LPC control interface to overwrite memory in the kernel and potentially execute privileges. This could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability was fixed in Linux kernel version 5.14.6. The fix involves correcting the boundary check in the aspeedlpcctrl_mmap function to properly compare memory sizes (Kernel Changelog). Users are advised to upgrade to Linux kernel version 5.14.6 or later to address this vulnerability.