CVE-2021-47107 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix READDIR buffer overflow If a client sends a READDIR count argument that is too small (say, zero), then the buffer size calculation in the new init_dirlist helper functions results in an underflow, allowing the XDR stream functions to write beyond the actual buffer. This calculation has always been suspect. NFSD has never sanity- checked the READDIR count argument, but the old entry encoders managed the problem correctly. With the commits below, entry encoding changed, exposing the underflow to the pointer arithmetic in xdr_reserve_space(). Modern NFS clients attempt to retrieve as much data as possible for each READDIR request. Also, we have no unit tests that exercise the behavior of READDIR at the lower bound of @count values. Thus this case was missed during testing.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72
https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1
https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885
https://lore.kernel.org/linux-cve-announce/2024030445-CVE-2021-47107-7dda@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2021-47107
https://www.cve.org/CVERecord?id=CVE-2021-47107

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-03-04T18:15:38.706Z

Updated: 2024-08-04T05:24:39.886Z

Reserved: 2024-03-04T18:12:48.835Z

Link: CVE-2021-47107

Vulnrichment

Updated: 2024-08-04T05:24:39.886Z

NVD

Status : Awaiting Analysis

Published: 2024-03-04T19:15:18.793

Modified: 2024-06-21T14:15:10.653

Link: CVE-2021-47107

Redhat

Severity : Moderate

Publid Date: 2024-03-04T00:00:00Z

Links: CVE-2021-47107 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47107", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-03-04T18:12:48.835Z", "datePublished": "2024-03-04T18:15:38.706Z", "dateUpdated": "2024-08-04T05:24:39.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-06-21T13:27:24.625Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix READDIR buffer overflow\n\nIf a client sends a READDIR count argument that is too small (say,\nzero), then the buffer size calculation in the new init_dirlist\nhelper functions results in an underflow, allowing the XDR stream\nfunctions to write beyond the actual buffer.\n\nThis calculation has always been suspect. NFSD has never sanity-\nchecked the READDIR count argument, but the old entry encoders\nmanaged the problem correctly.\n\nWith the commits below, entry encoding changed, exposing the\nunderflow to the pointer arithmetic in xdr_reserve_space().\n\nModern NFS clients attempt to retrieve as much data as possible\nfor each READDIR request. Also, we have no unit tests that\nexercise the behavior of READDIR at the lower bound of @count\nvalues. Thus this case was missed during testing."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfs3proc.c", "fs/nfsd/nfsproc.c"], "versions": [{"version": "37aa5e640222", "lessThan": "9e291a6a28d3", "status": "affected", "versionType": "git"}, {"version": "7f87fc2d34d4", "lessThan": "eabc0aab98e5", "status": "affected", "versionType": "git"}, {"version": "7f87fc2d34d4", "lessThan": "53b1119a6e50", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nfsd/nfs3proc.c", "fs/nfsd/nfsproc.c"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.12", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1"}, {"url": "https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885"}, {"url": "https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72"}], "title": "NFSD: Fix READDIR buffer overflow", "x_generator": {"engine": "bippy-7d53e8ef8be4"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T14:23:20.067017Z", "id": "CVE-2021-47107", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T14:23:30.968Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:39.886Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:39.886Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47107", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T14:23:20.067017Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T14:23:26.949Z"}}], "cna": {"title": "NFSD: Fix READDIR buffer overflow", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "37aa5e640222", "lessThan": "9e291a6a28d3", "versionType": "git"}, {"status": "affected", "version": "7f87fc2d34d4", "lessThan": "eabc0aab98e5", "versionType": "git"}, {"status": "affected", "version": "7f87fc2d34d4", "lessThan": "53b1119a6e50", "versionType": "git"}], "programFiles": ["fs/nfsd/nfs3proc.c", "fs/nfsd/nfsproc.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.13"}, {"status": "unaffected", "version": "0", "lessThan": "5.13", "versionType": "custom"}, {"status": "unaffected", "version": "5.15.12", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/nfsd/nfs3proc.c", "fs/nfsd/nfsproc.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1"}, {"url": "https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885"}, {"url": "https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72"}], "x_generator": {"engine": "bippy-7d53e8ef8be4"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix READDIR buffer overflow\n\nIf a client sends a READDIR count argument that is too small (say,\nzero), then the buffer size calculation in the new init_dirlist\nhelper functions results in an underflow, allowing the XDR stream\nfunctions to write beyond the actual buffer.\n\nThis calculation has always been suspect. NFSD has never sanity-\nchecked the READDIR count argument, but the old entry encoders\nmanaged the problem correctly.\n\nWith the commits below, entry encoding changed, exposing the\nunderflow to the pointer arithmetic in xdr_reserve_space().\n\nModern NFS clients attempt to retrieve as much data as possible\nfor each READDIR request. Also, we have no unit tests that\nexercise the behavior of READDIR at the lower bound of @count\nvalues. Thus this case was missed during testing."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-06-21T13:27:24.625Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47107", "state": "PUBLISHED", "dateUpdated": "2024-08-04T05:24:39.886Z", "dateReserved": "2024-03-04T18:12:48.835Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-03-04T18:15:38.706Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix READDIR buffer overflow\n\nIf a client sends a READDIR count argument that is too small (say,\nzero), then the buffer size calculation in the new init_dirlist\nhelper functions results in an underflow, allowing the XDR stream\nfunctions to write beyond the actual buffer.\n\nThis calculation has always been suspect. NFSD has never sanity-\nchecked the READDIR count argument, but the old entry encoders\nmanaged the problem correctly.\n\nWith the commits below, entry encoding changed, exposing the\nunderflow to the pointer arithmetic in xdr_reserve_space().\n\nModern NFS clients attempt to retrieve as much data as possible\nfor each READDIR request. Also, we have no unit tests that\nexercise the behavior of READDIR at the lower bound of @count\nvalues. Thus this case was missed during testing."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: NFSD: corrige el desbordamiento del b\u00fafer READDIR Si un cliente env\u00eda un argumento de recuento READDIR que es demasiado peque\u00f1o (digamos, cero), entonces el c\u00e1lculo del tama\u00f1o del b\u00fafer en las nuevas funciones auxiliares init_dirlist da como resultado un subdesbordamiento, lo que permite que las funciones de flujo XDR escriban m\u00e1s all\u00e1 del b\u00fafer real. Este c\u00e1lculo siempre ha sido sospechoso. NFSD nunca ha verificado la cordura del argumento de conteo READDIR, pero los codificadores de entrada antiguos manejaron el problema correctamente. Con las confirmaciones a continuaci\u00f3n, la codificaci\u00f3n de entrada cambi\u00f3, exponiendo el desbordamiento a la aritm\u00e9tica del puntero en xdr_reserve_space(). Los clientes NFS modernos intentan recuperar la mayor cantidad de datos posible para cada solicitud READDIR. Adem\u00e1s, no tenemos pruebas unitarias que ejerzan el comportamiento de READDIR en el l\u00edmite inferior de los valores @count. Por lo tanto, este caso se pas\u00f3 por alto durante las pruebas."}], "id": "CVE-2021-47107", "lastModified": "2024-06-21T14:15:10.653", "metrics": {}, "published": "2024-03-04T19:15:18.793", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: NFSD: Fix READDIR buffer overflow", "id": "2267911", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267911"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-121", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nNFSD: Fix READDIR buffer overflow\nIf a client sends a READDIR count argument that is too small (say,\nzero), then the buffer size calculation in the new init_dirlist\nhelper functions results in an underflow, allowing the XDR stream\nfunctions to write beyond the actual buffer.\nThis calculation has always been suspect. NFSD has never sanity-\nchecked the READDIR count argument, but the old entry encoders\nmanaged the problem correctly.\nWith the commits below, entry encoding changed, exposing the\nunderflow to the pointer arithmetic in xdr_reserve_space().\nModern NFS clients attempt to retrieve as much data as possible\nfor each READDIR request. Also, we have no unit tests that\nexercise the behavior of READDIR at the lower bound of @count\nvalues. Thus this case was missed during testing."], "name": "CVE-2021-47107", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47107\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47107\nhttps://lore.kernel.org/linux-cve-announce/2024030445-CVE-2021-47107-7dda@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.15.12, kernel 5.16"}