{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47636", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:48:21.519Z", "datePublished": "2025-02-26T01:54:10.206Z", "dateUpdated": "2025-02-26T01:54:10.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-26T01:54:10.206Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\n\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\n\nubifs_wbuf_write_nolock():\n aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096\n if (aligned_len <= wbuf->avail) ... // Not satisfy\n if (wbuf->used) {\n ubifs_leb_write() // Fill some data in avail wbuf\n len -= wbuf->avail; // len is still not 8-bytes aligned\n aligned_len -= wbuf->avail;\n }\n n = aligned_len >> c->max_write_shift;\n if (n) {\n n <<= c->max_write_shift;\n err = ubifs_leb_write(c, wbuf->lnum, buf + written,\n wbuf->offs, n);\n // n > len, read out of bounds less than 8(n-len) bytes\n }\n\n, which can be catched by KASAN:\n =========================================================\n BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0\n Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128\n Workqueue: writeback wb_workfn (flush-ubifs_0_0)\n Call Trace:\n kasan_report.cold+0x81/0x165\n nand_write_page_swecc+0xa9/0x160\n ubifs_leb_write+0xf2/0x1b0 [ubifs]\n ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]\n write_head+0xdc/0x1c0 [ubifs]\n ubifs_jnl_write_inode+0x627/0x960 [ubifs]\n wb_workfn+0x8af/0xb80\n\nFunction ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8\nbytes aligned, the 'len' represents the true length of buf (which is\nallocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully\nto write leb safely.\n\nFetch a reproducer in [Link]."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ubifs/io.c"], "versions": [{"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d", "lessThan": "5343575aa11c5d7044107d59d43f84aec01312b0", "status": "affected", "versionType": "git"}, {"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d", "lessThan": "b80ccbec0e4804436c382d7dd60e943c386ed83a", "status": "affected", "versionType": "git"}, {"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d", "lessThan": "07a209fadee7b53b46858538e1177597273862e4", "status": "affected", "versionType": "git"}, {"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d", "lessThan": "a7054aaf1909cf40489c0ec1b728fdcf79c751a6", "status": "affected", "versionType": "git"}, {"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d", "lessThan": "e09fa5318d51f522e1af4fbaf8f74999355980c8", "status": "affected", "versionType": "git"}, {"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d", "lessThan": "3b7fb89135a20587d57f8877c02e25003e9edbdf", "status": "affected", "versionType": "git"}, {"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d", "lessThan": "4f2262a334641e05f645364d5ade1f565c85f20b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ubifs/io.c"], "versions": [{"version": "2.6.27", "status": "affected"}, {"version": "0", "lessThan": "2.6.27", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.238", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.189", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.110", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.33", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.19", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.2", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/5343575aa11c5d7044107d59d43f84aec01312b0"}, {"url": "https://git.kernel.org/stable/c/b80ccbec0e4804436c382d7dd60e943c386ed83a"}, {"url": "https://git.kernel.org/stable/c/07a209fadee7b53b46858538e1177597273862e4"}, {"url": "https://git.kernel.org/stable/c/a7054aaf1909cf40489c0ec1b728fdcf79c751a6"}, {"url": "https://git.kernel.org/stable/c/e09fa5318d51f522e1af4fbaf8f74999355980c8"}, {"url": "https://git.kernel.org/stable/c/3b7fb89135a20587d57f8877c02e25003e9edbdf"}, {"url": "https://git.kernel.org/stable/c/4f2262a334641e05f645364d5ade1f565c85f20b"}], "title": "ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF5DCB1F-AE17-4717-80C7-5786A2F74C0C", "versionEndExcluding": "4.19.238", "versionStartIncluding": "2.6.27", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CB6E8F5-C2B1-46F3-A807-0F6104AC340F", "versionEndExcluding": "5.4.189", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "91D3BFD0-D3F3-4018-957C-96CCBF357D79", "versionEndExcluding": "5.10.110", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "27C42AE8-B387-43E2-938A-E1C8B40BE6D5", "versionEndExcluding": "5.15.33", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B", "versionEndExcluding": "5.16.19", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\n\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\n\nubifs_wbuf_write_nolock():\n aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096\n if (aligned_len <= wbuf->avail) ... // Not satisfy\n if (wbuf->used) {\n ubifs_leb_write() // Fill some data in avail wbuf\n len -= wbuf->avail; // len is still not 8-bytes aligned\n aligned_len -= wbuf->avail;\n }\n n = aligned_len >> c->max_write_shift;\n if (n) {\n n <<= c->max_write_shift;\n err = ubifs_leb_write(c, wbuf->lnum, buf + written,\n wbuf->offs, n);\n // n > len, read out of bounds less than 8(n-len) bytes\n }\n\n, which can be catched by KASAN:\n =========================================================\n BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0\n Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128\n Workqueue: writeback wb_workfn (flush-ubifs_0_0)\n Call Trace:\n kasan_report.cold+0x81/0x165\n nand_write_page_swecc+0xa9/0x160\n ubifs_leb_write+0xf2/0x1b0 [ubifs]\n ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]\n write_head+0xdc/0x1c0 [ubifs]\n ubifs_jnl_write_inode+0x627/0x960 [ubifs]\n wb_workfn+0x8af/0xb80\n\nFunction ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8\nbytes aligned, the 'len' represents the true length of buf (which is\nallocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully\nto write leb safely.\n\nFetch a reproducer in [Link]."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ubifs: Se corrige la lectura fuera de los l\u00edmites en la funci\u00f3n ubifs_wbuf_write_nolock() ubifs_wbuf_write_nolock() puede acceder a buf fuera de los l\u00edmites en el siguiente proceso: ubifs_wbuf_write_nolock(): classified_len = ALIGN(len, 8); // Supongamos que len = 4089, classified_len = 4096 if (aligned_len &lt;= wbuf-&gt;avail) ... // No satisface if (wbuf-&gt;used) { ubifs_leb_write() // Complete algunos datos en avail wbuf len -= wbuf-&gt;avail; // len a\u00fan no est\u00e1 alineado a 8 bytes classified_len -= wbuf-&gt;avail; } n = classified_len &gt;&gt; c-&gt;max_write_shift; if (n) { n &lt;&lt;= c-&gt;max_write_shift; err = ubifs_leb_write(c, wbuf-&gt;lnum, buf + escrito, wbuf-&gt;offs, n); // n &gt; len, lectura fuera de los l\u00edmites menor a 8(n-len) bytes }, lo cual puede ser detectado por KASAN: =========================================================== ERROR: KASAN: slab fuera de los l\u00edmites en ecc_sw_hamming_calculate+0x1dc/0x7d0 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff888105594ff8 por la tarea kworker/u8:4/128 Cola de trabajo: escritura diferida wb_workfn (flush-ubifs_0_0) Rastreo de llamadas: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 La funci\u00f3n ubifs_wbuf_write_nolock() acepta que el par\u00e1metro 'len' no est\u00e9 alineado con 8 bytes, 'len' representa la longitud verdadera de buf (que est\u00e1 asignada en 'ubifs_jnl_xxx', p. ej. ubifs_jnl_write_inode), por lo que ubifs_wbuf_write_nolock() debe manejar la longitud le\u00edda de 'buf' con cuidado para escribir leb de forma segura. Obtenga un reproductor en [Enlace]."}], "id": "CVE-2021-47636", "lastModified": "2025-03-18T19:29:55.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T06:37:05.377", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/07a209fadee7b53b46858538e1177597273862e4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3b7fb89135a20587d57f8877c02e25003e9edbdf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4f2262a334641e05f645364d5ade1f565c85f20b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5343575aa11c5d7044107d59d43f84aec01312b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a7054aaf1909cf40489c0ec1b728fdcf79c751a6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b80ccbec0e4804436c382d7dd60e943c386ed83a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e09fa5318d51f522e1af4fbaf8f74999355980c8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()", "id": "2348010", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348010"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\nubifs_wbuf_write_nolock():\naligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096\nif (aligned_len <= wbuf->avail) ... // Not satisfy\nif (wbuf->used) {\nubifs_leb_write() // Fill some data in avail wbuf\nlen -= wbuf->avail; // len is still not 8-bytes aligned\naligned_len -= wbuf->avail;\n}\nn = aligned_len >> c->max_write_shift;\nif (n) {\nn <<= c->max_write_shift;\nerr = ubifs_leb_write(c, wbuf->lnum, buf + written,\nwbuf->offs, n);\n// n > len, read out of bounds less than 8(n-len) bytes\n}\n, which can be catched by KASAN:\n=========================================================\nBUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0\nRead of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128\nWorkqueue: writeback wb_workfn (flush-ubifs_0_0)\nCall Trace:\nkasan_report.cold+0x81/0x165\nnand_write_page_swecc+0xa9/0x160\nubifs_leb_write+0xf2/0x1b0 [ubifs]\nubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]\nwrite_head+0xdc/0x1c0 [ubifs]\nubifs_jnl_write_inode+0x627/0x960 [ubifs]\nwb_workfn+0x8af/0xb80\nFunction ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8\nbytes aligned, the 'len' represents the true length of buf (which is\nallocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully\nto write leb safely.\nFetch a reproducer in [Link]."], "name": "CVE-2021-47636", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47636\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47636\nhttps://lore.kernel.org/linux-cve-announce/2025022646-CVE-2021-47636-09a4@gregkh/T"], "threat_severity": "Moderate"}