CVE-2021-47182

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: core: Fix scsi_mode_sense() buffer length handling<br /> <br /> Several problems exist with scsi_mode_sense() buffer length handling:<br /> <br /> 1) The allocation length field of the MODE SENSE(10) command is 16-bits,<br /> occupying bytes 7 and 8 of the CDB. With this command, access to mode<br /> pages larger than 255 bytes is thus possible. However, the CDB<br /> allocation length field is set by assigning len to byte 8 only, thus<br /> truncating buffer length larger than 255.<br /> <br /> 2) If scsi_mode_sense() is called with len smaller than 8 with<br /> sdev-&gt;use_10_for_ms set, or smaller than 4 otherwise, the buffer length<br /> is increased to 8 and 4 respectively, and the buffer is zero filled<br /> with these increased values, thus corrupting the memory following the<br /> buffer.<br /> <br /> Fix these 2 problems by using put_unaligned_be16() to set the allocation<br /> length field of MODE SENSE(10) CDB and by returning an error when len is<br /> too small.<br /> <br /> Furthermore, if len is larger than 255B, always try MODE SENSE(10) first,<br /> even if the device driver did not set sdev-&gt;use_10_for_ms. In case of<br /> invalid opcode error for MODE SENSE(10), access to mode pages larger than<br /> 255 bytes are not retried using MODE SENSE(6). To avoid buffer length<br /> overflows for the MODE_SENSE(10) case, check that len is smaller than 65535<br /> bytes.<br /> <br /> While at it, also fix the folowing:<br /> <br /> * Use get_unaligned_be16() to retrieve the mode data length and block<br /> descriptor length fields of the mode sense reply header instead of using<br /> an open coded calculation.<br /> <br /> * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable<br /> Block Descriptor, which is the opposite of what the dbd argument<br /> description was.