cve/published/2021/CVE-2021-47366.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47366: afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server

 AFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and
 Linux's afs client switches between them when talking to a non-YFS server
 if the read size, the file position or the sum of the two have the upper 32
 bits set of the 64-bit value.

 This is a problem, however, since the file position and length fields of
 FS.FetchData are *signed* 32-bit values.

 Fix this by capturing the capability bits obtained from the fileserver when
 it's sent an FS.GetCapabilities RPC, rather than just discarding them, and
 then picking out the VICED_CAPABILITY_64BITFILES flag.  This can then be
 used to decide whether to use FS.FetchData or FS.FetchData64 - and also
 FS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to
 switch on the parameter values.

 This capabilities flag could also be used to limit the maximum size of the
 file, but all servers must be checked for that.

 Note that the issue does not exist with FS.StoreData - that uses *unsigned*
 32-bit values.  It's also not a problem with Auristor servers as its
 YFS.FetchData64 op uses unsigned 64-bit values.

 This can be tested by cloning a git repo through an OpenAFS client to an
 OpenAFS server and then doing "git status" on it from a Linux afs
 client[1].  Provided the clone has a pack file that's in the 2G-4G range,
 the git status will show errors like:

 	error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index
 	error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index

 This can be observed in the server's FileLog with something like the
 following appearing:

 Sun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001
 Sun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001
 Sun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154
 Sun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866
 ...
 Sun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5

 Note the file position of 18446744071815340032.  This is the requested file
 position sign-extended.

 The Linux kernel CVE team has assigned CVE-2021-47366 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.22 with commit b9b1f8d5930a813879278d0cbfc8c658d6a038dc and fixed in 5.14.9 with commit e66fc460d6dcf85cf12288e133a081205aebcd97
 	Issue introduced in 2.6.22 with commit b9b1f8d5930a813879278d0cbfc8c658d6a038dc and fixed in 5.15 with commit b537a3c21775075395af475dcc6ef212fcf29db8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47366
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/afs/fs_probe.c
 	fs/afs/fsclient.c
 	fs/afs/internal.h
 	fs/afs/protocol_afs.h
 	fs/afs/protocol_yfs.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e66fc460d6dcf85cf12288e133a081205aebcd97
 	https://git.kernel.org/stable/c/b537a3c21775075395af475dcc6ef212fcf29db8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47366: afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server

	AFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and
	Linux's afs client switches between them when talking to a non-YFS server
	if the read size, the file position or the sum of the two have the upper 32
	bits set of the 64-bit value.

	This is a problem, however, since the file position and length fields of
	FS.FetchData are signed 32-bit values.

	Fix this by capturing the capability bits obtained from the fileserver when
	it's sent an FS.GetCapabilities RPC, rather than just discarding them, and
	then picking out the VICED_CAPABILITY_64BITFILES flag. This can then be
	used to decide whether to use FS.FetchData or FS.FetchData64 - and also
	FS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to
	switch on the parameter values.

	This capabilities flag could also be used to limit the maximum size of the
	file, but all servers must be checked for that.

	Note that the issue does not exist with FS.StoreData - that uses unsigned
	32-bit values. It's also not a problem with Auristor servers as its
	YFS.FetchData64 op uses unsigned 64-bit values.

	This can be tested by cloning a git repo through an OpenAFS client to an
	OpenAFS server and then doing "git status" on it from a Linux afs
	client[1]. Provided the clone has a pack file that's in the 2G-4G range,
	the git status will show errors like:

	error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index
	error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index

	This can be observed in the server's FileLog with something like the
	following appearing:

	Sun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001
	Sun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001
	Sun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154
	Sun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866
	...
	Sun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5

	Note the file position of 18446744071815340032. This is the requested file
	position sign-extended.

	The Linux kernel CVE team has assigned CVE-2021-47366 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.22 with commit b9b1f8d5930a813879278d0cbfc8c658d6a038dc and fixed in 5.14.9 with commit e66fc460d6dcf85cf12288e133a081205aebcd97
	Issue introduced in 2.6.22 with commit b9b1f8d5930a813879278d0cbfc8c658d6a038dc and fixed in 5.15 with commit b537a3c21775075395af475dcc6ef212fcf29db8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47366
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/afs/fs_probe.c
	fs/afs/fsclient.c
	fs/afs/internal.h
	fs/afs/protocol_afs.h
	fs/afs/protocol_yfs.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e66fc460d6dcf85cf12288e133a081205aebcd97
	https://git.kernel.org/stable/c/b537a3c21775075395af475dcc6ef212fcf29db8