{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2021-46984",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-02-27T18:42:55.946Z",
        "datePublished": "2024-02-28T08:13:12.835Z",
        "dateUpdated": "2024-09-11T17:33:40.792Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-05-29T05:00:00.429Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkyber: fix out of bounds access when preempted\n\n__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and\npasses the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx\nfor the current CPU again and uses that to get the corresponding Kyber\ncontext in the passed hctx. However, the thread may be preempted between\nthe two calls to blk_mq_get_ctx(), and the ctx returned the second time\nmay no longer correspond to the passed hctx. This \"works\" accidentally\nmost of the time, but it can cause us to read garbage if the second ctx\ncame from an hctx with more ctx's than the first one (i.e., if\nctx->index_hw[hctx->type] > hctx->nr_ctx).\n\nThis manifested as this UBSAN array index out of bounds error reported\nby Jakub:\n\nUBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9\nindex 13106 is out of range for type 'long unsigned int [128]'\nCall Trace:\n dump_stack+0xa4/0xe5\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34\n queued_spin_lock_slowpath+0x476/0x480\n do_raw_spin_lock+0x1c2/0x1d0\n kyber_bio_merge+0x112/0x180\n blk_mq_submit_bio+0x1f5/0x1100\n submit_bio_noacct+0x7b0/0x870\n submit_bio+0xc2/0x3a0\n btrfs_map_bio+0x4f0/0x9d0\n btrfs_submit_data_bio+0x24e/0x310\n submit_one_bio+0x7f/0xb0\n submit_extent_page+0xc4/0x440\n __extent_writepage_io+0x2b8/0x5e0\n __extent_writepage+0x28d/0x6e0\n extent_write_cache_pages+0x4d7/0x7a0\n extent_writepages+0xa2/0x110\n do_writepages+0x8f/0x180\n __writeback_single_inode+0x99/0x7f0\n writeback_sb_inodes+0x34e/0x790\n __writeback_inodes_wb+0x9e/0x120\n wb_writeback+0x4d2/0x660\n wb_workfn+0x64d/0xa10\n process_one_work+0x53a/0xa80\n worker_thread+0x69/0x5b0\n kthread+0x20b/0x240\n ret_from_fork+0x1f/0x30\n\nOnly Kyber uses the hctx, so fix it by passing the request_queue to\n->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can\nmap the queues itself to avoid the mismatch."
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "block/bfq-iosched.c",
                        "block/blk-mq-sched.c",
                        "block/kyber-iosched.c",
                        "block/mq-deadline.c",
                        "include/linux/elevator.h"
                    ],
                    "versions": [
                        {
                            "version": "a6088845c2bf",
                            "lessThan": "0b6b4b90b74c",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "a6088845c2bf",
                            "lessThan": "54dbe2d2c1fc",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "a6088845c2bf",
                            "lessThan": "a287cd84e047",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "a6088845c2bf",
                            "lessThan": "2ef3c76540c4",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "a6088845c2bf",
                            "lessThan": "efed9a3337e3",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "block/bfq-iosched.c",
                        "block/blk-mq-sched.c",
                        "block/kyber-iosched.c",
                        "block/mq-deadline.c",
                        "include/linux/elevator.h"
                    ],
                    "versions": [
                        {
                            "version": "4.18",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "4.18",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.4.120",
                            "lessThanOrEqual": "5.4.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.10.38",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.11.22",
                            "lessThanOrEqual": "5.11.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.12.5",
                            "lessThanOrEqual": "5.12.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.13",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5"
                },
                {
                    "url": "https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f"
                },
                {
                    "url": "https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6"
                },
                {
                    "url": "https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df"
                },
                {
                    "url": "https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d"
                }
            ],
            "title": "kyber: fix out of bounds access when preempted",
            "x_generator": {
                "engine": "bippy-a5840b7849dd"
            }
        },
        "adp": [
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-04T05:24:37.898Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            },
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2021-46984",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2024-09-10T16:01:11.596982Z"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-09-11T17:33:40.792Z"
                }
            }
        ]
    }
}