CVE-2021-47578

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: scsi_debug: Don&amp;#39;t call kcalloc() if size arg is zero<br /> <br /> If the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR. Because of<br /> that, for a following NULL pointer check to work on the returned pointer,<br /> kcalloc() must not be called with the size arg equal to zero. Return early<br /> without error before the kcalloc() call if size arg is zero.<br /> <br /> BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]<br /> BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974<br /> Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789<br /> <br /> CPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1<br /> Hardware name: Red Hat KVM, BIOS 1.13.0-2<br /> Call Trace:<br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106<br /> __kasan_report mm/kasan/report.c:446 [inline]<br /> kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189<br /> memcpy+0x3b/0x60 mm/kasan/shadow.c:66<br /> memcpy include/linux/fortify-string.h:191 [inline]<br /> sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974<br /> do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline]<br /> do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline]<br /> resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276<br /> schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478<br /> scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533<br /> scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]<br /> scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699<br /> blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639<br /> __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325<br /> blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358<br /> __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761<br /> __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838<br /> blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891<br /> blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474<br /> blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62<br /> blk_execute_rq+0xdb/0x360 block/blk-exec.c:102<br /> sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline]<br /> scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930<br /> sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112<br /> sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:874 [inline]<br /> __se_sys_ioctl fs/ioctl.c:860 [inline]<br /> __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae