cve/published/2021/CVE-2021-47366.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server\n\nAFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and\nLinux's afs client switches between them when talking to a non-YFS server\nif the read size, the file position or the sum of the two have the upper 32\nbits set of the 64-bit value.\n\nThis is a problem, however, since the file position and length fields of\nFS.FetchData are *signed* 32-bit values.\n\nFix this by capturing the capability bits obtained from the fileserver when\nit's sent an FS.GetCapabilities RPC, rather than just discarding them, and\nthen picking out the VICED_CAPABILITY_64BITFILES flag.  This can then be\nused to decide whether to use FS.FetchData or FS.FetchData64 - and also\nFS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to\nswitch on the parameter values.\n\nThis capabilities flag could also be used to limit the maximum size of the\nfile, but all servers must be checked for that.\n\nNote that the issue does not exist with FS.StoreData - that uses *unsigned*\n32-bit values.  It's also not a problem with Auristor servers as its\nYFS.FetchData64 op uses unsigned 64-bit values.\n\nThis can be tested by cloning a git repo through an OpenAFS client to an\nOpenAFS server and then doing \"git status\" on it from a Linux afs\nclient[1].  Provided the clone has a pack file that's in the 2G-4G range,\nthe git status will show errors like:\n\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\nThis can be observed in the server's FileLog with something like the\nfollowing appearing:\n\nSun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001\nSun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866\n...\nSun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5\n\nNote the file position of 18446744071815340032.  This is the requested file\nposition sign-extended."
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "fs/afs/fs_probe.c",
                   "fs/afs/fsclient.c",
                   "fs/afs/internal.h",
                   "fs/afs/protocol_afs.h",
                   "fs/afs/protocol_yfs.h"
                ],
                "versions": [
                   {
                      "version": "b9b1f8d5930a813879278d0cbfc8c658d6a038dc",
                      "lessThan": "e66fc460d6dcf85cf12288e133a081205aebcd97",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "b9b1f8d5930a813879278d0cbfc8c658d6a038dc",
                      "lessThan": "b537a3c21775075395af475dcc6ef212fcf29db8",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "fs/afs/fs_probe.c",
                   "fs/afs/fsclient.c",
                   "fs/afs/internal.h",
                   "fs/afs/protocol_afs.h",
                   "fs/afs/protocol_yfs.h"
                ],
                "versions": [
                   {
                      "version": "2.6.22",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "2.6.22",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.14.9",
                      "lessThanOrEqual": "5.14.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.22",
                            "versionEndExcluding": "5.14.9"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.22",
                            "versionEndExcluding": "5.15"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/e66fc460d6dcf85cf12288e133a081205aebcd97"
             },
             {
                "url": "https://git.kernel.org/stable/c/b537a3c21775075395af475dcc6ef212fcf29db8"
             }
          ],
          "title": "afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2021-47366",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server\n\nAFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and\nLinux's afs client switches between them when talking to a non-YFS server\nif the read size, the file position or the sum of the two have the upper 32\nbits set of the 64-bit value.\n\nThis is a problem, however, since the file position and length fields of\nFS.FetchData are signed 32-bit values.\n\nFix this by capturing the capability bits obtained from the fileserver when\nit's sent an FS.GetCapabilities RPC, rather than just discarding them, and\nthen picking out the VICED_CAPABILITY_64BITFILES flag. This can then be\nused to decide whether to use FS.FetchData or FS.FetchData64 - and also\nFS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to\nswitch on the parameter values.\n\nThis capabilities flag could also be used to limit the maximum size of the\nfile, but all servers must be checked for that.\n\nNote that the issue does not exist with FS.StoreData - that uses unsigned\n32-bit values. It's also not a problem with Auristor servers as its\nYFS.FetchData64 op uses unsigned 64-bit values.\n\nThis can be tested by cloning a git repo through an OpenAFS client to an\nOpenAFS server and then doing \"git status\" on it from a Linux afs\nclient[1]. Provided the clone has a pack file that's in the 2G-4G range,\nthe git status will show errors like:\n\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\terror: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index\n\nThis can be observed in the server's FileLog with something like the\nfollowing appearing:\n\nSun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001\nSun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154\nSun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866\n...\nSun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5\n\nNote the file position of 18446744071815340032. This is the requested file\nposition sign-extended."
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"fs/afs/fs_probe.c",
	"fs/afs/fsclient.c",
	"fs/afs/internal.h",
	"fs/afs/protocol_afs.h",
	"fs/afs/protocol_yfs.h"
	],
	"versions": [
	{
	"version": "b9b1f8d5930a813879278d0cbfc8c658d6a038dc",
	"lessThan": "e66fc460d6dcf85cf12288e133a081205aebcd97",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "b9b1f8d5930a813879278d0cbfc8c658d6a038dc",
	"lessThan": "b537a3c21775075395af475dcc6ef212fcf29db8",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"fs/afs/fs_probe.c",
	"fs/afs/fsclient.c",
	"fs/afs/internal.h",
	"fs/afs/protocol_afs.h",
	"fs/afs/protocol_yfs.h"
	],
	"versions": [
	{
	"version": "2.6.22",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "2.6.22",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.14.9",
	"lessThanOrEqual": "5.14.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.22",
	"versionEndExcluding": "5.14.9"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.22",
	"versionEndExcluding": "5.15"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/e66fc460d6dcf85cf12288e133a081205aebcd97"
	},
	{
	"url": "https://git.kernel.org/stable/c/b537a3c21775075395af475dcc6ef212fcf29db8"
	}
	],
	"title": "afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2021-47366",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}