Linux Kernel up to 5.15.9 i2c virtqueue_add_sgs memory corruption

Summaryinfo

A vulnerability described as critical has been identified in Linux Kernel up to 5.15.9. This impacts the function virtqueue_add_sgs of the component i2c. Such manipulation leads to memory corruption. This vulnerability is documented as CVE-2021-47613. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in Linux Kernel up to 5.15.9. It has been rated as critical. Affected by this issue is the function virtqueue_add_sgs of the component i2c. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: i2c: virtio: fix completion handling The driver currently assumes that the notify callback is only received when the device is done with all the queued buffers. However, this is not true, since the notify callback could be called without any of the queued buffers being completed (for example, with virtio-pci and shared interrupts) or with only some of the buffers being completed (since the driver makes them available to the device in multiple separate virtqueue_add_sgs() calls). This can lead to incorrect data on the I2C bus or memory corruption in the guest if the device operates on buffers which are have been freed by the driver. (The WARN_ON in the driver is also triggered.) BUG kmalloc-128 (Tainted: G W ): Poison overwritten First byte 0x0 instead of 0x6b Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28 memdup_user+0x2e/0xbd i2cdev_ioctl_rdwr+0x9d/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28 kfree+0x1bd/0x1cc i2cdev_ioctl_rdwr+0x1bb/0x1de i2cdev_ioctl+0x247/0x2ed vfs_ioctl+0x21/0x30 sys_ioctl+0xb18/0xb41 Fix this by calling virtio_get_buf() from the notify handler like other virtio drivers and by actually waiting for all the buffers to be completed.

The advisory is shared for download at git.kernel.org. This vulnerability is handled as CVE-2021-47613. The exploitation is known to be easy. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 10/04/2025).

Upgrading to version 5.15.10 eliminates this vulnerability. Applying the patch 9cbb957441ed/b503de239f62 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at CERT Bund (WID-SEC-2024-1418). Once again VulDB remains the best source for vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• IBM InfoSphere Guardium
• Oracle Linux
• Oracle VM
• IBM Security Guardium
• RESF Rocky Linux
• Broadcom Brocade SANnav
• Dell NetWorker
• Open Source Linux Kernel
• IBM QRadar SIEM
• Dell Avamar
• IBM Storage Scale
• Juniper Junos Space
• SolarWinds Security Event Manager
• Dell PowerProtect Data Domain

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 5.15.0
• 5.15.1
• 5.15.2
• 5.15.3
• 5.15.4
• 5.15.5
• 5.15.6
• 5.15.7
• 5.15.8
• 5.15.9

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion