CVE-2021-47604: 
Linux Kernel vulnerability analysis and mitigation

CVE-2021-47604 affects the Linux kernel's vduse (vDPA Device in Userspace) component. The vulnerability was discovered in the get_config() function where an insufficient bounds checking could lead to an out-of-bounds read condition. The issue affects Linux kernel versions from 5.15 up to (excluding) 5.15.11 (NVD).

The vulnerability exists in the vdusevdpagetconfig() function where it only checks the 'len' parameter but fails to properly validate the 'offset' parameter against dev->configsize. Due to both variables being unsigned, the subtraction operation 'dev->configsize - offset' could result in a very large unsigned value when offset is greater than configsize, potentially leading to an out-of-bounds read. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

If exploited, this vulnerability could allow an attacker to read memory outside the intended bounds of the config buffer, potentially exposing sensitive information. The vulnerability affects confidentiality and availability of the system, but does not impact integrity (NVD).

The vulnerability has been fixed by adding an explicit check for the offset parameter in the getconfig() function. The patch ensures that offset is not greater than dev->configsize before performing the subtraction operation. Users should upgrade to Linux kernel version 5.15.11 or later which includes the fix (Kernel Patch).