CVE-2021-47191

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()<br /> <br /> The following warning was observed running syzkaller:<br /> <br /> [ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;<br /> [ 3813.830724] program syz-executor not setting count and/or reply_len properly<br /> [ 3813.836956] ==================================================================<br /> [ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0<br /> [ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549<br /> [ 3813.846612] Call Trace:<br /> [ 3813.846995] dump_stack+0x108/0x15f<br /> [ 3813.847524] print_address_description+0xa5/0x372<br /> [ 3813.848243] kasan_report.cold+0x236/0x2a8<br /> [ 3813.849439] check_memory_region+0x240/0x270<br /> [ 3813.850094] memcpy+0x30/0x80<br /> [ 3813.850553] sg_copy_buffer+0x157/0x1e0<br /> [ 3813.853032] sg_copy_from_buffer+0x13/0x20<br /> [ 3813.853660] fill_from_dev_buffer+0x135/0x370<br /> [ 3813.854329] resp_readcap16+0x1ac/0x280<br /> [ 3813.856917] schedule_resp+0x41f/0x1630<br /> [ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0<br /> [ 3813.862699] scsi_dispatch_cmd+0x330/0x950<br /> [ 3813.863329] scsi_request_fn+0xd8e/0x1710<br /> [ 3813.863946] __blk_run_queue+0x10b/0x230<br /> [ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400<br /> [ 3813.865220] sg_common_write.isra.0+0xe61/0x2420<br /> [ 3813.871637] sg_write+0x6c8/0xef0<br /> [ 3813.878853] __vfs_write+0xe4/0x800<br /> [ 3813.883487] vfs_write+0x17b/0x530<br /> [ 3813.884008] ksys_write+0x103/0x270<br /> [ 3813.886268] __x64_sys_write+0x77/0xc0<br /> [ 3813.886841] do_syscall_64+0x106/0x360<br /> [ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9<br /> <br /> This issue can be reproduced with the following syzkaller log:<br /> <br /> r0 = openat(0xffffffffffffff9c, &amp;(0x7f0000000040)=&amp;#39;./file0\x00&amp;#39;, 0x26e1, 0x0)<br /> r1 = syz_open_procfs(0xffffffffffffffff, &amp;(0x7f0000000000)=&amp;#39;fd/3\x00&amp;#39;)<br /> open_by_handle_at(r1, &amp;(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)<br /> r2 = syz_open_dev$sg(&amp;(0x7f0000000000), 0x0, 0x40782)<br /> write$binfmt_aout(r2, &amp;(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126)<br /> <br /> In resp_readcap16() we get "int alloc_len" value -1104926854, and then pass<br /> the huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This<br /> leads to OOB in sg_copy_buffer().<br /> <br /> To solve this issue, define alloc_len as u32.