CVE-2021-47613

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: virtio: fix completion handling<br /> <br /> The driver currently assumes that the notify callback is only received<br /> when the device is done with all the queued buffers.<br /> <br /> However, this is not true, since the notify callback could be called<br /> without any of the queued buffers being completed (for example, with<br /> virtio-pci and shared interrupts) or with only some of the buffers being<br /> completed (since the driver makes them available to the device in<br /> multiple separate virtqueue_add_sgs() calls).<br /> <br /> This can lead to incorrect data on the I2C bus or memory corruption in<br /> the guest if the device operates on buffers which are have been freed by<br /> the driver. (The WARN_ON in the driver is also triggered.)<br /> <br /> BUG kmalloc-128 (Tainted: G W ): Poison overwritten<br /> First byte 0x0 instead of 0x6b<br /> Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28<br /> memdup_user+0x2e/0xbd<br /> i2cdev_ioctl_rdwr+0x9d/0x1de<br /> i2cdev_ioctl+0x247/0x2ed<br /> vfs_ioctl+0x21/0x30<br /> sys_ioctl+0xb18/0xb41<br /> Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28<br /> kfree+0x1bd/0x1cc<br /> i2cdev_ioctl_rdwr+0x1bb/0x1de<br /> i2cdev_ioctl+0x247/0x2ed<br /> vfs_ioctl+0x21/0x30<br /> sys_ioctl+0xb18/0xb41<br /> <br /> Fix this by calling virtio_get_buf() from the notify handler like other<br /> virtio drivers and by actually waiting for all the buffers to be<br /> completed.