cve-2021-47613
Vulnerability from cvelistv5
Published
2024-06-19 14:58
Modified
2024-11-04 12:09
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: i2c: virtio: fix completion handling The driver currently assumes that the notify callback is only received when the device is done with all the queued buffers. However, this is not true, since the notify callback could be called without any of the queued buffers being completed (for example, with virtio-pci and shared interrupts) or with only some of the buffers being completed (since the driver makes them available to the device in multiple separate virtqueue_add_sgs() calls). This can lead to incorrect data on the I2C bus or memory corruption in the guest if the device operates on buffers which are have been freed by the driver. (The WARN_ON in the driver is also triggered.) BUG kmalloc-128 (Tainted: G W ): Poison overwritten First byte 0x0 instead of 0x6b Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28 memdup_user+0x2e/0xbd i2cdev_ioctl_rdwr+0x9d/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28 kfree+0x1bd/0x1cc i2cdev_ioctl_rdwr+0x1bb/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Fix this by calling virtio_get_buf() from the notify handler like other virtio drivers and by actually waiting for all the buffers to be completed.
Impacted products
Vendor Product Version
Linux Linux Version: 5.15
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:47:40.505Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9cbb957441ed8873577d7d313a3d79d69f1dad5c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b503de239f62eca898cfb7e820d9a35499137d22"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47613",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:11:55.313991Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:50.978Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-virtio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9cbb957441ed",
              "status": "affected",
              "version": "3cfc88380413",
              "versionType": "git"
            },
            {
              "lessThan": "b503de239f62",
              "status": "affected",
              "version": "3cfc88380413",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/i2c/busses/i2c-virtio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: virtio: fix completion handling\n\nThe driver currently assumes that the notify callback is only received\nwhen the device is done with all the queued buffers.\n\nHowever, this is not true, since the notify callback could be called\nwithout any of the queued buffers being completed (for example, with\nvirtio-pci and shared interrupts) or with only some of the buffers being\ncompleted (since the driver makes them available to the device in\nmultiple separate virtqueue_add_sgs() calls).\n\nThis can lead to incorrect data on the I2C bus or memory corruption in\nthe guest if the device operates on buffers which are have been freed by\nthe driver.  (The WARN_ON in the driver is also triggered.)\n\n BUG kmalloc-128 (Tainted: G        W        ): Poison overwritten\n First byte 0x0 instead of 0x6b\n Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28\n \tmemdup_user+0x2e/0xbd\n \ti2cdev_ioctl_rdwr+0x9d/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28\n \tkfree+0x1bd/0x1cc\n \ti2cdev_ioctl_rdwr+0x1bb/0x1de\n \ti2cdev_ioctl+0x247/0x2ed\n \tvfs_ioctl+0x21/0x30\n \tsys_ioctl+0xb18/0xb41\n\nFix this by calling virtio_get_buf() from the notify handler like other\nvirtio drivers and by actually waiting for all the buffers to be\ncompleted."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:09:11.153Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9cbb957441ed8873577d7d313a3d79d69f1dad5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b503de239f62eca898cfb7e820d9a35499137d22"
        }
      ],
      "title": "i2c: virtio: fix completion handling",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47613",
    "datePublished": "2024-06-19T14:58:01.788Z",
    "dateReserved": "2024-06-19T14:55:32.795Z",
    "dateUpdated": "2024-11-04T12:09:11.153Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47613\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-19T15:15:55.850\",\"lastModified\":\"2024-10-30T21:37:51.337\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: virtio: fix completion handling\\n\\nThe driver currently assumes that the notify callback is only received\\nwhen the device is done with all the queued buffers.\\n\\nHowever, this is not true, since the notify callback could be called\\nwithout any of the queued buffers being completed (for example, with\\nvirtio-pci and shared interrupts) or with only some of the buffers being\\ncompleted (since the driver makes them available to the device in\\nmultiple separate virtqueue_add_sgs() calls).\\n\\nThis can lead to incorrect data on the I2C bus or memory corruption in\\nthe guest if the device operates on buffers which are have been freed by\\nthe driver.  (The WARN_ON in the driver is also triggered.)\\n\\n BUG kmalloc-128 (Tainted: G        W        ): Poison overwritten\\n First byte 0x0 instead of 0x6b\\n Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28\\n \\tmemdup_user+0x2e/0xbd\\n \\ti2cdev_ioctl_rdwr+0x9d/0x1de\\n \\ti2cdev_ioctl+0x247/0x2ed\\n \\tvfs_ioctl+0x21/0x30\\n \\tsys_ioctl+0xb18/0xb41\\n Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28\\n \\tkfree+0x1bd/0x1cc\\n \\ti2cdev_ioctl_rdwr+0x1bb/0x1de\\n \\ti2cdev_ioctl+0x247/0x2ed\\n \\tvfs_ioctl+0x21/0x30\\n \\tsys_ioctl+0xb18/0xb41\\n\\nFix this by calling virtio_get_buf() from the notify handler like other\\nvirtio drivers and by actually waiting for all the buffers to be\\ncompleted.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: i2c: virtio: manejo de finalizaci\u00f3n de reparaci\u00f3n El controlador actualmente supone que la devoluci\u00f3n de llamada de notificaci\u00f3n solo se recibe cuando el dispositivo termina con todos los b\u00faferes en cola. Sin embargo, esto no es cierto, ya que la devoluci\u00f3n de llamada de notificaci\u00f3n podr\u00eda llamarse sin que se complete ninguno de los b\u00faferes en cola (por ejemplo, con virtio-pci e interrupciones compartidas) o con solo algunos de los b\u00faferes completados (ya que el controlador los pone a disposici\u00f3n). al dispositivo en m\u00faltiples llamadas virtqueue_add_sgs() separadas). Esto puede provocar datos incorrectos en el bus I2C o da\u00f1os en la memoria del hu\u00e9sped si el dispositivo funciona con b\u00faferes que han sido liberados por el controlador. (El WARN_ON en el controlador tambi\u00e9n se activa). ERROR kmalloc-128 (Contaminado: GW): Veneno sobrescrito Primer byte 0x0 en lugar de 0x6b Asignado en i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28 memdup_user+0x2e/0xbd i2cdev_ioctl_rdwr+0x9d/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Liberado en i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28 0x1cc i2cdev_ioctl_rdwr+0x1bb/0x1de i2cdev_ioctl+0x247/ 0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Solucione este problema llamando a virtio_get_buf() desde el controlador de notificaci\u00f3n como otros controladores virtio y esperando a que se completen todos los b\u00faferes.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15\",\"versionEndExcluding\":\"5.15.10\",\"matchCriteriaId\":\"CE684464-9205-451D-854A-11B8BBA99AF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"357AA433-37E8-4323-BFB2-3038D6E4B414\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A73429BA-C2D9-4D0C-A75F-06A1CA8B3983\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F621B5E3-E99D-49E7-90B9-EC3B77C95383\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7BFDCAA-1650-49AA-8462-407DD593F94F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/9cbb957441ed8873577d7d313a3d79d69f1dad5c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b503de239f62eca898cfb7e820d9a35499137d22\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.