CVE-2021-47366: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server AFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and Linux's afs client switches between them when talking to a non-YFS server if the read size, the file position or the sum of the two have the upper 32 bits set of the 64-bit value. This is a problem, however, since the file position and length fields of FS.FetchData are *signed* 32-bit values. Fix this by capturing the capability bits obtained from the fileserver when it's sent an FS.GetCapabilities RPC, rather than just discarding them, and then picking out the VICED_CAPABILITY_64BITFILES flag. This can then be used to decide whether to use FS.FetchData or FS.FetchData64 - and also FS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to switch on the parameter values. This capabilities flag could also be used to limit the maximum size of the file, but all servers must be checked for that. Note that the issue does not exist with FS.StoreData - that uses *unsigned* 32-bit values. It's also not a problem with Auristor servers as its YFS.FetchData64 op uses unsigned 64-bit values. This can be tested by cloning a git repo through an OpenAFS client to an OpenAFS server and then doing "git status" on it from a Linux afs client[1]. Provided the clone has a pack file that's in the 2G-4G range, the git status will show errors like: error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index This can be observed in the server's FileLog with something like the following appearing: Sun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001 Sun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001 Sun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154 Sun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866 ... Sun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5 Note the file position of 18446744071815340032. This is the requested file position sign-extended.
AI Analysis
Technical Summary
CVE-2021-47366 is a vulnerability in the Linux kernel's implementation of the OpenAFS client, specifically in how it handles file read operations from an OpenAFS server. OpenAFS uses two Remote Procedure Call (RPC) variants for data fetching: FS.FetchData and FS.FetchData64. The Linux AFS client switches between these based on the read size, file position, or their sum having the upper 32 bits set in a 64-bit value. However, the FS.FetchData RPC uses signed 32-bit values for file position and length, which leads to incorrect interpretation when values exceed the signed 32-bit range, causing data corruption during reads at file positions between 2GB and 4GB. The root cause is that the client incorrectly switches between FS.FetchData and FS.FetchData64 based on upper 32 bits rather than the server's capabilities. The fix involves capturing the server's capability flags via FS.GetCapabilities RPC, specifically the VICED_CAPABILITY_64BITFILES flag, to correctly decide which RPC variant to use for fetching and storing data. This prevents the client from misinterpreting file positions and lengths and avoids data corruption. The vulnerability manifests as errors when accessing large files (2GB-4GB range) on OpenAFS servers, such as git packfile mismatches during operations like 'git status'. The issue does not affect FS.StoreData because it uses unsigned 32-bit values, nor does it affect Auristor servers which use unsigned 64-bit values for their YFS.FetchData64 operation. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability was published on May 21, 2024, and affects Linux kernel versions containing the specified commit hashes.
Potential Impact
For European organizations using Linux systems with OpenAFS clients connected to OpenAFS servers, this vulnerability can lead to silent data corruption when reading large files between 2GB and 4GB. This can cause integrity issues in critical file operations, such as source code repositories (e.g., git), large data files, or any application relying on OpenAFS for distributed file storage. Corrupted reads can result in application errors, data inconsistency, and potential disruption of workflows dependent on accurate file access. While the vulnerability does not appear to allow remote code execution or privilege escalation, the integrity compromise can affect software development, data analytics, and other sectors relying on large file handling. The lack of known exploits reduces immediate risk, but the subtlety of data corruption means detection may be delayed, increasing potential damage. Availability impact is minimal, as the issue causes read errors rather than system crashes. Confidentiality is not directly impacted. Overall, the threat primarily affects data integrity in environments using OpenAFS on Linux, which may include research institutions, universities, and enterprises with legacy distributed file systems.
Mitigation Recommendations
European organizations should ensure their Linux kernels are updated to versions containing the patch that correctly implements capability flag checks for OpenAFS clients, specifically verifying the presence of the VICED_CAPABILITY_64BITFILES flag before choosing FS.FetchData or FS.FetchData64 RPCs. Administrators should audit their environments for OpenAFS usage and identify clients and servers involved in large file operations. Testing with large files (2GB-4GB) can help detect corruption symptoms. Where possible, migrating from OpenAFS to more modern distributed file systems that handle large files robustly is advisable. Additionally, organizations should implement integrity verification mechanisms for critical files, such as checksums or digital signatures, to detect corruption early. Monitoring OpenAFS server logs for anomalous FetchData requests with suspicious file positions can aid in early detection. Backup strategies should be reviewed to ensure recovery from corrupted data. Since no known exploits exist, immediate patching is the best preventive measure to avoid future exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland
CVE-2021-47366: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server AFS-3 has two data fetch RPC variants, FS.FetchData and FS.FetchData64, and Linux's afs client switches between them when talking to a non-YFS server if the read size, the file position or the sum of the two have the upper 32 bits set of the 64-bit value. This is a problem, however, since the file position and length fields of FS.FetchData are *signed* 32-bit values. Fix this by capturing the capability bits obtained from the fileserver when it's sent an FS.GetCapabilities RPC, rather than just discarding them, and then picking out the VICED_CAPABILITY_64BITFILES flag. This can then be used to decide whether to use FS.FetchData or FS.FetchData64 - and also FS.StoreData or FS.StoreData64 - rather than using upper_32_bits() to switch on the parameter values. This capabilities flag could also be used to limit the maximum size of the file, but all servers must be checked for that. Note that the issue does not exist with FS.StoreData - that uses *unsigned* 32-bit values. It's also not a problem with Auristor servers as its YFS.FetchData64 op uses unsigned 64-bit values. This can be tested by cloning a git repo through an OpenAFS client to an OpenAFS server and then doing "git status" on it from a Linux afs client[1]. Provided the clone has a pack file that's in the 2G-4G range, the git status will show errors like: error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index error: packfile .git/objects/pack/pack-5e813c51d12b6847bbc0fcd97c2bca66da50079c.pack does not match index This can be observed in the server's FileLog with something like the following appearing: Sun Aug 29 19:31:39 2021 SRXAFS_FetchData, Fid = 2303380852.491776.3263114, Host 192.168.11.201:7001, Id 1001 Sun Aug 29 19:31:39 2021 CheckRights: len=0, for host=192.168.11.201:7001 Sun Aug 29 19:31:39 2021 FetchData_RXStyle: Pos 18446744071815340032, Len 3154 Sun Aug 29 19:31:39 2021 FetchData_RXStyle: file size 2400758866 ... Sun Aug 29 19:31:40 2021 SRXAFS_FetchData returns 5 Note the file position of 18446744071815340032. This is the requested file position sign-extended.
AI-Powered Analysis
Technical Analysis
CVE-2021-47366 is a vulnerability in the Linux kernel's implementation of the OpenAFS client, specifically in how it handles file read operations from an OpenAFS server. OpenAFS uses two Remote Procedure Call (RPC) variants for data fetching: FS.FetchData and FS.FetchData64. The Linux AFS client switches between these based on the read size, file position, or their sum having the upper 32 bits set in a 64-bit value. However, the FS.FetchData RPC uses signed 32-bit values for file position and length, which leads to incorrect interpretation when values exceed the signed 32-bit range, causing data corruption during reads at file positions between 2GB and 4GB. The root cause is that the client incorrectly switches between FS.FetchData and FS.FetchData64 based on upper 32 bits rather than the server's capabilities. The fix involves capturing the server's capability flags via FS.GetCapabilities RPC, specifically the VICED_CAPABILITY_64BITFILES flag, to correctly decide which RPC variant to use for fetching and storing data. This prevents the client from misinterpreting file positions and lengths and avoids data corruption. The vulnerability manifests as errors when accessing large files (2GB-4GB range) on OpenAFS servers, such as git packfile mismatches during operations like 'git status'. The issue does not affect FS.StoreData because it uses unsigned 32-bit values, nor does it affect Auristor servers which use unsigned 64-bit values for their YFS.FetchData64 operation. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability was published on May 21, 2024, and affects Linux kernel versions containing the specified commit hashes.
Potential Impact
For European organizations using Linux systems with OpenAFS clients connected to OpenAFS servers, this vulnerability can lead to silent data corruption when reading large files between 2GB and 4GB. This can cause integrity issues in critical file operations, such as source code repositories (e.g., git), large data files, or any application relying on OpenAFS for distributed file storage. Corrupted reads can result in application errors, data inconsistency, and potential disruption of workflows dependent on accurate file access. While the vulnerability does not appear to allow remote code execution or privilege escalation, the integrity compromise can affect software development, data analytics, and other sectors relying on large file handling. The lack of known exploits reduces immediate risk, but the subtlety of data corruption means detection may be delayed, increasing potential damage. Availability impact is minimal, as the issue causes read errors rather than system crashes. Confidentiality is not directly impacted. Overall, the threat primarily affects data integrity in environments using OpenAFS on Linux, which may include research institutions, universities, and enterprises with legacy distributed file systems.
Mitigation Recommendations
European organizations should ensure their Linux kernels are updated to versions containing the patch that correctly implements capability flag checks for OpenAFS clients, specifically verifying the presence of the VICED_CAPABILITY_64BITFILES flag before choosing FS.FetchData or FS.FetchData64 RPCs. Administrators should audit their environments for OpenAFS usage and identify clients and servers involved in large file operations. Testing with large files (2GB-4GB) can help detect corruption symptoms. Where possible, migrating from OpenAFS to more modern distributed file systems that handle large files robustly is advisable. Additionally, organizations should implement integrity verification mechanisms for critical files, such as checksums or digital signatures, to detect corruption early. Monitoring OpenAFS server logs for anomalous FetchData requests with suspicious file positions can aid in early detection. Backup strategies should be reviewed to ensure recovery from corrupted data. Since no known exploits exist, immediate patching is the best preventive measure to avoid future exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.810Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8f36
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 11:58:38 AM
Last updated: 8/15/2025, 10:58:02 AM
Views: 13
Related Threats
CVE-2025-9105: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9104: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9102: Improper Export of Android Application Components in 1&1 Mail & Media mail.com App
MediumCVE-2025-9101: Cross Site Scripting in zhenfeng13 My-Blog
MediumCVE-2025-9100: Authentication Bypass by Capture-replay in zhenfeng13 My-Blog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.