CVE-2021-46952

NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds

Fix shift out-of-bounds in xprt_calc_majortimeo(). This is caused
by a garbage timeout (retrans) mount option being passed to nfs mount,
in this case from syzkaller.

If the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift
value for a 64-bit long integer, so 'retrans' cannot be >= 64.
If it is >= 64, fail the mount and return an error.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: NFS: fs_context: valida las retransmisiones UDP para evitar cambios fuera de los límites. Corrige cambios fuera de los límites en xprt_calc_majortimeo(). Esto se debe a que se pasa una opción de montaje de tiempo de espera de basura (retransmisión) al montaje nfs, en este caso desde syzkaller. Si el protocolo es XPRT_TRANSPORT_UDP, entonces 'retrans' es un valor de desplazamiento para un entero largo de 64 bits, por lo que 'retrans' no puede ser >= 64. Si es >= 64, falla el montaje y devuelve un error.

*Credits: N/A

CVSS Scores

NISTv3.1 7.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-02-27 CVE Published
2024-04-21 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/9954bf92c0cddd50a2a470be302e1c1ffdf21d42	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/96fa26b74cdcf9f5c98996bf36bec9fb5b19ffe2	2021-05-11
https://git.kernel.org/stable/c/2f3380121d49e829fb73ba86240c181bc32ad897	2021-05-12
https://git.kernel.org/stable/c/3d0163821c035040a46d816a42c0780f0f0a30a8	2021-05-12
https://git.kernel.org/stable/c/c09f11ef35955785f92369e25819bf0629df2e59	2021-04-05

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.10.36 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.10.36"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.11.20 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.11.20"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.12.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.12.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.13"		en		Affected