CVE-2021-47636
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096 if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes } , which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely. Fetch a reproducer in [Link].
Security Summary
CVE-2021-47636 is an out-of-bounds read vulnerability in the Linux kernel's UBIFS (Unsorted Block Images File System) implementation, specifically within the ubifs_wbuf_write_nolock() function. This function can access the input buffer beyond its allocated bounds when handling unaligned lengths during write operations to LEBs (Logical Erase Blocks). For example, if the input length is 4089 bytes, it gets aligned to 4096 bytes, but after partially filling the write buffer and subtracting the used amount, subsequent calls to ubifs_leb_write() may read up to 8 bytes past the buffer's end. The issue was detected by KASAN during kernel writeback operations involving NAND flash pages with software ECC.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation occurs during UBIFS journal writes, such as ubifs_jnl_write_inode(), triggered by normal filesystem operations like inode updates in a writeback workqueue. Successful exploitation leads to high-impact confidentiality violations through out-of-bounds reads of adjacent slab memory and high availability impact via kernel crashes, but without integrity effects.
Mitigation involves applying upstream kernel patches from the provided stable branch commits, such as 07a209fadee7b53b46858538e1177597273862e4, 3b7fb89135a20587d57f8877c02e25003e9edbdf, 4f2262a334641e05f645364d5ade1f565c85f20b, 5343575aa11c5d7044107d59d43f84aec01312b0, and a7054aaf1909cf40489c0ec1b728fdcf79c751a6. These fixes ensure ubifs_wbuf_write_nolock() properly handles unaligned lengths without exceeding buffer bounds during LEB writes. Systems using UBIFS on NAND storage should update to patched kernel versions.
Details
- CWE(s)