CVE-2021-47613

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47613
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47613.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-47613
Downstream
Published
2024-06-19T15:15:55Z
Modified
2024-11-21T06:36:40Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: virtio: fix completion handling

The driver currently assumes that the notify callback is only received when the device is done with all the queued buffers.

However, this is not true, since the notify callback could be called without any of the queued buffers being completed (for example, with virtio-pci and shared interrupts) or with only some of the buffers being completed (since the driver makes them available to the device in multiple separate virtqueueaddsgs() calls).

This can lead to incorrect data on the I2C bus or memory corruption in the guest if the device operates on buffers which are have been freed by the driver. (The WARN_ON in the driver is also triggered.)

BUG kmalloc-128 (Tainted: G W ): Poison overwritten First byte 0x0 instead of 0x6b Allocated in i2cdevioctlrdwr+0x9d/0x1de age=243 cpu=0 pid=28 memdupuser+0x2e/0xbd i2cdevioctlrdwr+0x9d/0x1de i2cdevioctl+0x247/0x2ed vfsioctl+0x21/0x30 sysioctl+0xb18/0xb41 Freed in i2cdevioctlrdwr+0x1bb/0x1de age=68 cpu=0 pid=28 kfree+0x1bd/0x1cc i2cdevioctlrdwr+0x1bb/0x1de i2cdevioctl+0x247/0x2ed vfsioctl+0x21/0x30 sys_ioctl+0xb18/0xb41

Fix this by calling virtiogetbuf() from the notify handler like other virtio drivers and by actually waiting for all the buffers to be completed.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}