CVE-2021-47636

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()<br /> <br /> Function ubifs_wbuf_write_nolock() may access buf out of bounds in<br /> following process:<br /> <br /> ubifs_wbuf_write_nolock():<br /> aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096<br /> if (aligned_len avail) ... // Not satisfy<br /> if (wbuf-&gt;used) {<br /> ubifs_leb_write() // Fill some data in avail wbuf<br /> len -= wbuf-&gt;avail; // len is still not 8-bytes aligned<br /> aligned_len -= wbuf-&gt;avail;<br /> }<br /> n = aligned_len &gt;&gt; c-&gt;max_write_shift;<br /> if (n) {<br /> n lnum, buf + written,<br /> wbuf-&gt;offs, n);<br /> // n &gt; len, read out of bounds less than 8(n-len) bytes<br /> }<br /> <br /> , which can be catched by KASAN:<br /> =========================================================<br /> BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0<br /> Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128<br /> Workqueue: writeback wb_workfn (flush-ubifs_0_0)<br /> Call Trace:<br /> kasan_report.cold+0x81/0x165<br /> nand_write_page_swecc+0xa9/0x160<br /> ubifs_leb_write+0xf2/0x1b0 [ubifs]<br /> ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]<br /> write_head+0xdc/0x1c0 [ubifs]<br /> ubifs_jnl_write_inode+0x627/0x960 [ubifs]<br /> wb_workfn+0x8af/0xb80<br /> <br /> Function ubifs_wbuf_write_nolock() accepts that parameter &amp;#39;len&amp;#39; is not 8<br /> bytes aligned, the &amp;#39;len&amp;#39; represents the true length of buf (which is<br /> allocated in &amp;#39;ubifs_jnl_xxx&amp;#39;, eg. ubifs_jnl_write_inode), so<br /> ubifs_wbuf_write_nolock() must handle the length read from &amp;#39;buf&amp;#39; carefully<br /> to write leb safely.<br /> <br /> Fetch a reproducer in [Link].