{"id":"CVE-2021-47636","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()\n\nFunction ubifs_wbuf_write_nolock() may access buf out of bounds in\nfollowing process:\n\nubifs_wbuf_write_nolock():\n  aligned_len = ALIGN(len, 8);   // Assume len = 4089, aligned_len = 4096\n  if (aligned_len \u003c= wbuf-\u003eavail) ... // Not satisfy\n  if (wbuf-\u003eused) {\n    ubifs_leb_write()  // Fill some data in avail wbuf\n    len -= wbuf-\u003eavail;   // len is still not 8-bytes aligned\n    aligned_len -= wbuf-\u003eavail;\n  }\n  n = aligned_len \u003e\u003e c-\u003emax_write_shift;\n  if (n) {\n    n \u003c\u003c= c-\u003emax_write_shift;\n    err = ubifs_leb_write(c, wbuf-\u003elnum, buf + written,\n                          wbuf-\u003eoffs, n);\n    // n \u003e len, read out of bounds less than 8(n-len) bytes\n  }\n\n, which can be catched by KASAN:\n  =========================================================\n  BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0\n  Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128\n  Workqueue: writeback wb_workfn (flush-ubifs_0_0)\n  Call Trace:\n    kasan_report.cold+0x81/0x165\n    nand_write_page_swecc+0xa9/0x160\n    ubifs_leb_write+0xf2/0x1b0 [ubifs]\n    ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs]\n    write_head+0xdc/0x1c0 [ubifs]\n    ubifs_jnl_write_inode+0x627/0x960 [ubifs]\n    wb_workfn+0x8af/0xb80\n\nFunction ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8\nbytes aligned, the 'len' represents the true length of buf (which is\nallocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so\nubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully\nto write leb safely.\n\nFetch a reproducer in [Link].","modified":"2026-03-15T22:43:16.514523Z","published":"2025-02-26T06:37:05.377Z","related":["SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1241-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/4f2262a334641e05f645364d5ade1f565c85f20b"},{"type":"FIX","url":"https://git.kernel.org/stable/c/5343575aa11c5d7044107d59d43f84aec01312b0"},{"type":"FIX","url":"https://git.kernel.org/stable/c/a7054aaf1909cf40489c0ec1b728fdcf79c751a6"},{"type":"FIX","url":"https://git.kernel.org/stable/c/b80ccbec0e4804436c382d7dd60e943c386ed83a"},{"type":"FIX","url":"https://git.kernel.org/stable/c/e09fa5318d51f522e1af4fbaf8f74999355980c8"},{"type":"FIX","url":"https://git.kernel.org/stable/c/07a209fadee7b53b46858538e1177597273862e4"},{"type":"FIX","url":"https://git.kernel.org/stable/c/3b7fb89135a20587d57f8877c02e25003e9edbdf"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"2.6.27"},{"fixed":"4.19.238"}]},{"events":[{"introduced":"4.20"},{"fixed":"5.4.189"}]},{"events":[{"introduced":"5.5"},{"fixed":"5.10.110"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.15.33"}]},{"events":[{"introduced":"5.16"},{"fixed":"5.16.19"}]},{"events":[{"introduced":"5.17"},{"fixed":"5.17.2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47636.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"}]}