{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2021-47107", "ASSIGNER": "cve@kernel.org", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix READDIR buffer overflow\n\nIf a client sends a READDIR count argument that is too small (say,\nzero), then the buffer size calculation in the new init_dirlist\nhelper functions results in an underflow, allowing the XDR stream\nfunctions to write beyond the actual buffer.\n\nThis calculation has always been suspect. NFSD has never sanity-\nchecked the READDIR count argument, but the old entry encoders\nmanaged the problem correctly.\n\nWith the commits below, entry encoding changed, exposing the\nunderflow to the pointer arithmetic in xdr_reserve_space().\n\nModern NFS clients attempt to retrieve as much data as possible\nfor each READDIR request. Also, we have no unit tests that\nexercise the behavior of READDIR at the lower bound of @count\nvalues. Thus this case was missed during testing." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Linux", "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "<", "version_name": "37aa5e640222", "version_value": "9e291a6a28d3" }, { "version_affected": "<", "version_name": "7f87fc2d34d4", "version_value": "eabc0aab98e5" }, { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "version": "5.13", "status": "affected" }, { "version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.12", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ], "defaultStatus": "affected" } } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1" }, { "url": "https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885" }, { "url": "https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72" } ] }, "generator": { "engine": "bippy-7d53e8ef8be4" } }