CVE-2021-47191

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47191
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47191.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47191
Related
Published
2024-04-10T19:15:47Z
Modified
2024-09-11T04:41:04.271601Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: scsidebug: Fix out-of-bound read in respreadcap16()

The following warning was observed running syzkaller:

[ 3813.830724] sgwrite: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in; [ 3813.830724] program syz-executor not setting count and/or replylen properly [ 3813.836956] ================================================================== [ 3813.839465] BUG: KASAN: stack-out-of-bounds in sgcopybuffer+0x157/0x1e0 [ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549 [ 3813.846612] Call Trace: [ 3813.846995] dumpstack+0x108/0x15f [ 3813.847524] printaddressdescription+0xa5/0x372 [ 3813.848243] kasanreport.cold+0x236/0x2a8 [ 3813.849439] checkmemoryregion+0x240/0x270 [ 3813.850094] memcpy+0x30/0x80 [ 3813.850553] sgcopybuffer+0x157/0x1e0 [ 3813.853032] sgcopyfrombuffer+0x13/0x20 [ 3813.853660] fillfromdevbuffer+0x135/0x370 [ 3813.854329] respreadcap16+0x1ac/0x280 [ 3813.856917] scheduleresp+0x41f/0x1630 [ 3813.858203] scsidebugqueuecommand+0xb32/0x17e0 [ 3813.862699] scsidispatchcmd+0x330/0x950 [ 3813.863329] scsirequestfn+0xd8e/0x1710 [ 3813.863946] _blkrunqueue+0x10b/0x230 [ 3813.864544] blkexecuterqnowait+0x1d8/0x400 [ 3813.865220] sgcommonwrite.isra.0+0xe61/0x2420 [ 3813.871637] sgwrite+0x6c8/0xef0 [ 3813.878853] _vfswrite+0xe4/0x800 [ 3813.883487] vfswrite+0x17b/0x530 [ 3813.884008] ksyswrite+0x103/0x270 [ 3813.886268] _x64syswrite+0x77/0xc0 [ 3813.886841] dosyscall64+0x106/0x360 [ 3813.887415] entrySYSCALL64afterhwframe+0x44/0xa9

This issue can be reproduced with the following syzkaller log:

r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0) r1 = syzopenprocfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00') openbyhandleat(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000) r2 = syzopendev$sg(&(0x7f0000000000), 0x0, 0x40782) write$binfmtaout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126)

In respreadcap16() we get "int alloclen" value -1104926854, and then pass the huge arrlen to fillfromdevbuffer(), but arr is only 32 bytes. This leads to OOB in sgcopybuffer().

To solve this issue, define alloc_len as u32.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}