ghsa-v3v7-3vrh-65v3
Vulnerability from github
Published
2025-03-18 21:31
Modified
2025-03-18 21:31
Severity ?
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()

Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process:

ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096 if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes }

, which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80

Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely.

Fetch a reproducer in [Link].

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T06:37:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\n\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\n\nubifs_wbuf_write_nolock():\n  aligned_len = ALIGN(len, 8);   // Assume len = 4089, aligned_len = 4096\n  if (aligned_len \u003c= wbuf-\u003eavail) ... // Not satisfy\n  if (wbuf-\u003eused) {\n    ubifs_leb_write()  // Fill some data in avail wbuf\n    len -= wbuf-\u003eavail;   // len is still not 8-bytes aligned\n    aligned_len -= wbuf-\u003eavail;\n  }\n  n = aligned_len \u003e\u003e c-\u003emax_write_shift;\n  if (n) {\n    n \u003c\u003c= c-\u003emax_write_shift;\n    err = ubifs_leb_write(c, wbuf-\u003elnum, buf + written,\n                          wbuf-\u003eoffs, n);\n    // n \u003e len, read out of bounds less than 8(n-len) bytes\n  }\n\n, which can be catched by KASAN:\n  =========================================================\n  BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0\n  Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128\n  Workqueue: writeback wb_workfn (flush-ubifs_0_0)\n  Call Trace:\n    kasan_report.cold+0x81/0x165\n    nand_write_page_swecc+0xa9/0x160\n    ubifs_leb_write+0xf2/0x1b0 [ubifs]\n    ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]\n    write_head+0xdc/0x1c0 [ubifs]\n    ubifs_jnl_write_inode+0x627/0x960 [ubifs]\n    wb_workfn+0x8af/0xb80\n\nFunction ubifs_wbuf_write_nolock() accepts that parameter \u0027len\u0027 is not 8\nbytes aligned, the \u0027len\u0027 represents the true length of buf (which is\nallocated in \u0027ubifs_jnl_xxx\u0027, eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from \u0027buf\u0027 carefully\nto write leb safely.\n\nFetch a reproducer in [Link].",
  "id": "GHSA-v3v7-3vrh-65v3",
  "modified": "2025-03-18T21:31:58Z",
  "published": "2025-03-18T21:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47636"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07a209fadee7b53b46858538e1177597273862e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b7fb89135a20587d57f8877c02e25003e9edbdf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f2262a334641e05f645364d5ade1f565c85f20b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5343575aa11c5d7044107d59d43f84aec01312b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a7054aaf1909cf40489c0ec1b728fdcf79c751a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b80ccbec0e4804436c382d7dd60e943c386ed83a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e09fa5318d51f522e1af4fbaf8f74999355980c8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.