CVE-2021-47066
async_xor: increase src_offs when dropping destination page
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
async_xor: increase src_offs when dropping destination page
Now we support sharing one page if PAGE_SIZE is not equal stripe size. To
support this, it needs to support calculating xor value with different
offsets for each r5dev. One offset array is used to record those offsets.
In RMW mode, parity page is used as a source page. It sets
ASYNC_TX_XOR_DROP_DST before calculating xor value in ops_run_prexor5.
So it needs to add src_list and src_offs at the same time. Now it only
needs src_list. So the xor value which is calculated is wrong. It can
cause data corruption problem.
I can reproduce this problem 100% on a POWER8 machine. The steps are:
mdadm -CR /dev/md0 -l5 -n3 /dev/sdb1 /dev/sdc1 /dev/sdd1 --size=3G
mkfs.xfs /dev/md0
mount /dev/md0 /mnt/test
mount: /mnt/test: mount(2) system call failed: Structure needs cleaning.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: async_xor: aumenta src_offs al eliminar la página de destino. Ahora admitimos compartir una página si PAGE_SIZE no tiene el mismo tamaño de banda. Para respaldar esto, debe admitir el cálculo del valor xor con diferentes compensaciones para cada r5dev. Se utiliza una matriz de desplazamiento para registrar esos desplazamientos. En el modo RMW, la página de paridad se utiliza como página de origen. Establece ASYNC_TX_XOR_DROP_DST antes de calcular el valor xor en ops_run_prexor5. Por lo tanto, es necesario agregar src_list y src_offs al mismo tiempo. Ahora sólo necesita src_list. Entonces el valor xor que se calcula es incorrecto. Puede causar problemas de corrupción de datos. Puedo reproducir este problema al 100% en una máquina POWER8. Los pasos son: mdadm -CR /dev/md0 -l5 -n3 /dev/sdb1 /dev/sdc1 /dev/sdd1 --size=3G mkfs.xfs /dev/md0 mount /dev/md0 /mnt/test mount: /mnt/test: la llamada al sistema mount(2) falló: la estructura necesita limpieza.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-29 CVE Reserved
- 2024-02-29 CVE Published
- 2024-03-01 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/29bcff787a2593b2126cfaff612c0b4e560022e9 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 5.10.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.10.37" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 5.11.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.11.21" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 5.12.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.12.4" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.13" | en |
Affected
| ||||||