{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47390","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-21T14:58:30.813Z","datePublished":"2024-05-21T15:03:48.883Z","dateUpdated":"2025-05-04T07:09:59.628Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:09:59.628Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()\n\nKASAN reports the following issue:\n\n BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798\n\n CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G               X --------- ---\n Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020\n Call Trace:\n  dump_stack+0xa5/0xe6\n  print_address_description.constprop.0+0x18/0x130\n  ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n  __kasan_report.cold+0x7f/0x114\n  ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n  kasan_report+0x38/0x50\n  kasan_check_range+0xf5/0x1d0\n  kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n  kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm]\n  ? kvm_arch_exit+0x110/0x110 [kvm]\n  ? sched_clock+0x5/0x10\n  ioapic_write_indirect+0x59f/0x9e0 [kvm]\n  ? static_obj+0xc0/0xc0\n  ? __lock_acquired+0x1d2/0x8c0\n  ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]\n\nThe problem appears to be that 'vcpu_bitmap' is allocated as a single long\non stack and it should really be KVM_MAX_VCPUS long. We also seem to clear\nthe lower 16 bits of it with bitmap_zero() for no particular reason (my\nguess would be that 'bitmap' and 'vcpu_bitmap' variables in\nkvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed\n16-bit long, the later should accommodate all possible vCPUs)."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/ioapic.c"],"versions":[{"version":"7ee30bc132c683d06a6d9e360e39e483e3990708","lessThan":"bebabb76ad9acca8858e0371e102fb60d708e25b","status":"affected","versionType":"git"},{"version":"7ee30bc132c683d06a6d9e360e39e483e3990708","lessThan":"99a9e9b80f19fc63be005a33d76211dd23114792","status":"affected","versionType":"git"},{"version":"7ee30bc132c683d06a6d9e360e39e483e3990708","lessThan":"2f9b68f57c6278c322793a06063181deded0ad69","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/ioapic.c"],"versions":[{"version":"5.5","status":"affected"},{"version":"0","lessThan":"5.5","status":"unaffected","versionType":"semver"},{"version":"5.10.71","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.14.10","lessThanOrEqual":"5.14.*","status":"unaffected","versionType":"semver"},{"version":"5.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.71"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.14.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b"},{"url":"https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792"},{"url":"https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69"}],"title":"KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-17T17:37:17.652949Z","id":"CVE-2021-47390","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-17T17:38:01.491Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:39:59.812Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69","tags":["x_transferred"]}]}]}}