CVE-2021-47561

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: virtio: disable timeout handling<br /> <br /> If a timeout is hit, it can result is incorrect data on the I2C bus<br /> and/or memory corruptions in the guest since the device can still be<br /> operating on the buffers it was given while the guest has freed them.<br /> <br /> Here is, for example, the start of a slub_debug splat which was<br /> triggered on the next transfer after one transfer was forced to timeout<br /> by setting a breakpoint in the backend (rust-vmm/vhost-device):<br /> <br /> BUG kmalloc-1k (Not tainted): Poison overwritten<br /> First byte 0x1 instead of 0x6b<br /> Allocated in virtio_i2c_xfer+0x65/0x35c age=350 cpu=0 pid=29<br /> __kmalloc+0xc2/0x1c9<br /> virtio_i2c_xfer+0x65/0x35c<br /> __i2c_transfer+0x429/0x57d<br /> i2c_transfer+0x115/0x134<br /> i2cdev_ioctl_rdwr+0x16a/0x1de<br /> i2cdev_ioctl+0x247/0x2ed<br /> vfs_ioctl+0x21/0x30<br /> sys_ioctl+0xb18/0xb41<br /> Freed in virtio_i2c_xfer+0x32e/0x35c age=244 cpu=0 pid=29<br /> kfree+0x1bd/0x1cc<br /> virtio_i2c_xfer+0x32e/0x35c<br /> __i2c_transfer+0x429/0x57d<br /> i2c_transfer+0x115/0x134<br /> i2cdev_ioctl_rdwr+0x16a/0x1de<br /> i2cdev_ioctl+0x247/0x2ed<br /> vfs_ioctl+0x21/0x30<br /> sys_ioctl+0xb18/0xb41<br /> <br /> There is no simple fix for this (the driver would have to always create<br /> bounce buffers and hold on to them until the device eventually returns<br /> the buffers), so just disable the timeout support for now.