cve-2021-47561
Vulnerability from cvelistv5
Published
2024-05-24 15:12
Modified
2024-12-19 07:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: i2c: virtio: disable timeout handling If a timeout is hit, it can result is incorrect data on the I2C bus and/or memory corruptions in the guest since the device can still be operating on the buffers it was given while the guest has freed them. Here is, for example, the start of a slub_debug splat which was triggered on the next transfer after one transfer was forced to timeout by setting a breakpoint in the backend (rust-vmm/vhost-device): BUG kmalloc-1k (Not tainted): Poison overwritten First byte 0x1 instead of 0x6b Allocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29 __kmalloc+0xc2/0x1c9 virtio_i2c_xfer+0x65/0x35c __i2c_transfer+0x429/0x57d i2c_transfer+0x115/0x134 i2cdev_ioctl_rdwr+0x16a/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Freed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29 kfree+0x1bd/0x1cc virtio_i2c_xfer+0x32e/0x35c __i2c_transfer+0x429/0x57d i2c_transfer+0x115/0x134 i2cdev_ioctl_rdwr+0x16a/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 There is no simple fix for this (the driver would have to always create bounce buffers and hold on to them until the device eventually returns the buffers), so just disable the timeout support for now.
Impacted products
Vendor Product Version
Linux Linux Version: 5.15
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47561",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-10T18:51:06.665618Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-10T18:51:14.257Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.771Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-virtio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f",
              "status": "affected",
              "version": "3cfc88380413d20f777dc6648a38f683962e52bf",
              "versionType": "git"
            },
            {
              "lessThan": "84e1d0bf1d7121759622dabf8fbef4c99ad597c5",
              "status": "affected",
              "version": "3cfc88380413d20f777dc6648a38f683962e52bf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-virtio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: virtio: disable timeout handling\n\nIf a timeout is hit, it can result is incorrect data on the I2C bus\nand/or memory corruptions in the guest since the device can still be\noperating on the buffers it was given while the guest has freed them.\n\nHere is, for example, the start of a slub_debug splat which was\ntriggered on the next transfer after one transfer was forced to timeout\nby setting a breakpoint in the backend (rust-vmm/vhost-device):\n\n BUG kmalloc-1k (Not tainted): Poison overwritten\n First byte 0x1 instead of 0x6b\n Allocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29\n \t__kmalloc+0xc2/0x1c9\n \tvirtio_i2c_xfer+0x65/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n Freed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29\n \tkfree+0x1bd/0x1cc\n \tvirtio_i2c_xfer+0x32e/0x35c\n \t__i2c_transfer+0x429/0x57d\n \ti2c_transfer+0x115/0x134\n \ti2cdev_ioctl_rdwr+0x16a/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n\nThere is no simple fix for this (the driver would have to always create\nbounce buffers and hold on to them until the device eventually returns\nthe buffers), so just disable the timeout support for now."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:44:51.283Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5"
        }
      ],
      "title": "i2c: virtio: disable timeout handling",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47561",
    "datePublished": "2024-05-24T15:12:50.061Z",
    "dateReserved": "2024-05-24T15:11:00.727Z",
    "dateUpdated": "2024-12-19T07:44:51.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47561\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-24T15:15:20.690\",\"lastModified\":\"2024-11-21T06:36:33.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: virtio: disable timeout handling\\n\\nIf a timeout is hit, it can result is incorrect data on the I2C bus\\nand/or memory corruptions in the guest since the device can still be\\noperating on the buffers it was given while the guest has freed them.\\n\\nHere is, for example, the start of a slub_debug splat which was\\ntriggered on the next transfer after one transfer was forced to timeout\\nby setting a breakpoint in the backend (rust-vmm/vhost-device):\\n\\n BUG kmalloc-1k (Not tainted): Poison overwritten\\n First byte 0x1 instead of 0x6b\\n Allocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29\\n \\t__kmalloc+0xc2/0x1c9\\n \\tvirtio_i2c_xfer+0x65/0x35c\\n \\t__i2c_transfer+0x429/0x57d\\n \\ti2c_transfer+0x115/0x134\\n \\ti2cdev_ioctl_rdwr+0x16a/0x1de\\n \\ti2cdev_ioctl+0x247/0x2ed\\n \\tvfs_ioctl+0x21/0x30\\n \\tsys_ioctl+0xb18/0xb41\\n Freed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29\\n \\tkfree+0x1bd/0x1cc\\n \\tvirtio_i2c_xfer+0x32e/0x35c\\n \\t__i2c_transfer+0x429/0x57d\\n \\ti2c_transfer+0x115/0x134\\n \\ti2cdev_ioctl_rdwr+0x16a/0x1de\\n \\ti2cdev_ioctl+0x247/0x2ed\\n \\tvfs_ioctl+0x21/0x30\\n \\tsys_ioctl+0xb18/0xb41\\n\\nThere is no simple fix for this (the driver would have to always create\\nbounce buffers and hold on to them until the device eventually returns\\nthe buffers), so just disable the timeout support for now.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: i2c: virtio: deshabilita el manejo del tiempo de espera Si se alcanza un tiempo de espera, puede resultar en datos incorrectos en el bus I2C y/o da\u00f1os en la memoria del invitado, ya que el dispositivo a\u00fan puede estar funcionando. en los buffers que se le dieron mientras el hu\u00e9sped los liber\u00f3. Aqu\u00ed est\u00e1, por ejemplo, el inicio de un splat slub_debug que se activ\u00f3 en la siguiente transferencia despu\u00e9s de que se oblig\u00f3 a que una transferencia expirara estableciendo un punto de interrupci\u00f3n en el backend (rust-vmm/vhost-device): ERROR kmalloc-1k (No contaminado ): Veneno sobrescrito Primer byte 0x1 en lugar de 0x6b Asignado en virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29 __kmalloc+0xc2/0x1c9 virtio_i2c_xfer+0x65/0x35c __i2c_transfer+0x429/0x57d 0x115/0x134 i2cdev_ioctl_rdwr+0x16a/ 0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Liberado en virtio_i2c_xfer+0x32e/0x35c edad=244 cpu=0 pid=29 kfree+0x1bd/0x1cc x32e/0x35c __i2c_transfer+0x429/0x57d i2c_transfer+0x115 /0x134 i2cdev_ioctl_rdwr+0x16a/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 No existe una soluci\u00f3n sencilla para esto (el controlador siempre tendr\u00eda que crear b\u00faferes de rebote y conservarlos hasta que el dispositivo finalmente devuelva el b\u00faferes), as\u00ed que simplemente deshabilite el soporte de tiempo de espera por ahora.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/84e1d0bf1d7121759622dabf8fbef4c99ad597c5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/cc432b0727ce404cc13e8f6b5ce29f412c3f9f1f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.