CVE-2021-47366

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server<br /> <br /> AFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and<br /> Linux&amp;#39;s afs client switches between them when talking to a non-YFS server<br /> if the read size, the file position or the sum of the two have the upper 32<br /> bits set of the 64-bit value.<br /> <br /> This is a problem, however, since the file position and length fields of<br /> FS.FetchData are *signed* 32-bit values.<br /> <br /> Fix this by capturing the capability bits obtained from the fileserver when<br /> it&amp;#39;s sent an FS.GetCapabilities RPC, rather than just discarding them, and<br /> then picking out the VICED_CAPABILITY_64BITFILES flag. This can then be<br /> used to decide whether to use FS.FetchData or FS.FetchData64 - and also<br /> FS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to<br /> switch on the parameter values.<br /> <br /> This capabilities flag could also be used to limit the maximum size of the<br /> file, but all servers must be checked for that.<br /> <br /> Note that the issue does not exist with FS.StoreData - that uses *unsigned*<br /> 32-bit values. It&amp;#39;s also not a problem with Auristor servers as its<br /> YFS.FetchData64 op uses unsigned 64-bit values.<br /> <br /> This can be tested by cloning a git repo through an OpenAFS client to an<br /> OpenAFS server and then doing "git status" on it from a Linux afs<br /> client[1]. Provided the clone has a pack file that&amp;#39;s in the 2G-4G range,<br /> the git status will show errors like:<br /> <br /> error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index<br /> error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index<br /> <br /> This can be observed in the server&amp;#39;s FileLog with something like the<br /> following appearing:<br /> <br /> Sun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001<br /> Sun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001<br /> Sun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154<br /> Sun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866<br /> ...<br /> Sun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5<br /> <br /> Note the file position of 18446744071815340032. This is the requested file<br /> position sign-extended.