CVE-2021-47219

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47219
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47219.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47219
Related
Published
2024-04-10T19:15:48Z
Modified
2024-09-11T04:51:16.757402Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: scsidebug: Fix out-of-bound read in respreport_tgtpgs()

The following issue was observed running syzkaller:

BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline] BUG: KASAN: slab-out-of-bounds in sgcopybuffer+0x150/0x1c0 lib/scatterlist.c:831 Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815

CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: _dumpstack lib/dumpstack.c:77 [inline] dumpstack+0xe4/0x14a lib/dumpstack.c:118 printaddressdescription+0x73/0x280 mm/kasan/report.c:253 kasanreporterror mm/kasan/report.c:352 [inline] kasanreport+0x272/0x370 mm/kasan/report.c:410 memcpy+0x1f/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:377 [inline] sgcopybuffer+0x150/0x1c0 lib/scatterlist.c:831 fillfromdevbuffer+0x14f/0x340 drivers/scsi/scsidebug.c:1021 respreporttgtpgs+0x5aa/0x770 drivers/scsi/scsidebug.c:1772 scheduleresp+0x464/0x12f0 drivers/scsi/scsidebug.c:4429 scsidebugqueuecommand+0x467/0x1390 drivers/scsi/scsidebug.c:5835 scsidispatchcmd+0x3fc/0x9b0 drivers/scsi/scsilib.c:1896 scsirequestfn+0x1042/0x1810 drivers/scsi/scsilib.c:2034 _blkrunqueueuncond block/blk-core.c:464 [inline] _blkrunqueue+0x1a4/0x380 block/blk-core.c:484 blkexecuterqnowait+0x1c2/0x2d0 block/blk-exec.c:78 sgcommonwrite.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847 sgwrite.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716 sgwrite+0x64/0xa0 drivers/scsi/sg.c:622 _vfswrite+0xed/0x690 fs/readwrite.c:485 killbdev:blockdevice:00000000e138492c vfswrite+0x184/0x4c0 fs/readwrite.c:549 ksyswrite+0x107/0x240 fs/readwrite.c:599 dosyscall64+0xc2/0x560 arch/x86/entry/common.c:293 entrySYSCALL64after_hwframe+0x49/0xbe

We get 'alen' from command its type is int. If userspace passes a large length we will get a negative 'alen'.

Switch n, alen, and rlen to u32.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}