CVE-2021-47580
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
19/06/2024
Last modified:
01/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
scsi: scsi_debug: Fix type in min_t to avoid stack OOB<br />
<br />
Change min_t() to use type "u32" instead of type "int" to avoid stack out<br />
of bounds. With min_t() type "int" the values get sign extended and the<br />
larger value gets used causing stack out of bounds.<br />
<br />
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]<br />
BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976<br />
Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707<br />
<br />
CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1<br />
Hardware name: Red Hat KVM, BIOS 1.13.0-2<br />
Call Trace:<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106<br />
print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256<br />
__kasan_report mm/kasan/report.c:442 [inline]<br />
kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459<br />
check_region_inline mm/kasan/generic.c:183 [inline]<br />
kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189<br />
memcpy+0x23/0x60 mm/kasan/shadow.c:65<br />
memcpy include/linux/fortify-string.h:191 [inline]<br />
sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976<br />
sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000<br />
fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162<br />
fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline]<br />
resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887<br />
schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478<br />
scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533<br />
scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]<br />
scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699<br />
blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639<br />
__blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325<br />
blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358<br />
__blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761<br />
__blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838<br />
blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891<br />
blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474<br />
blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62<br />
sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836<br />
sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774<br />
sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939<br />
sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165<br />
vfs_ioctl fs/ioctl.c:51 [inline]<br />
__do_sys_ioctl fs/ioctl.c:874 [inline]<br />
__se_sys_ioctl fs/ioctl.c:860 [inline]<br />
__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860<br />
do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae
Impact
Base Score 3.x
6.60
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.88 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3085147645938eb41f0bc0e25ef9791e71f5ee4b
- https://git.kernel.org/stable/c/36e07d7ede88a1f1ef8f0f209af5b7612324ac2c
- https://git.kernel.org/stable/c/bdb854f134b964528fa543e0351022eb45bd7346
- https://git.kernel.org/stable/c/3085147645938eb41f0bc0e25ef9791e71f5ee4b
- https://git.kernel.org/stable/c/36e07d7ede88a1f1ef8f0f209af5b7612324ac2c
- https://git.kernel.org/stable/c/bdb854f134b964528fa543e0351022eb45bd7346