CVE-2021-47576

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47576
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47576.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47576
Related
Published
2024-06-19T15:15:52Z
Modified
2024-09-11T04:41:14.493350Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: scsidebug: Sanity check block descriptor length in respmode_select()

In respmodeselect() sanity check the block descriptor len to avoid UAF.

BUG: KASAN: use-after-free in respmodeselect+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032

CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dumpstacklvl+0x89/0xb5 lib/dumpstack.c:107 printaddressdescription.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasanreport.cold.14+0x7d/0x117 mm/kasan/report.c:443 _asanreportload1noabort+0x14/0x20 mm/kasan/reportgeneric.c:306 respmodeselect+0xa4c/0xb40 drivers/scsi/scsidebug.c:2509 scheduleresp+0x4af/0x1a10 drivers/scsi/scsidebug.c:5483 scsidebugqueuecommand+0x8c9/0x1e70 drivers/scsi/scsidebug.c:7537 scsiqueuerq+0x16b4/0x2d10 drivers/scsi/scsilib.c:1521 blkmqdispatchrqlist+0xb9b/0x2700 block/blk-mq.c:1640 _blkmqscheddispatchrequests+0x28f/0x590 block/blk-mq-sched.c:325 blkmqscheddispatchrequests+0x105/0x190 block/blk-mq-sched.c:358 _blkmqrunhwqueue+0xe5/0x150 block/blk-mq.c:1762 _blkmqdelayrunhwqueue+0x4f8/0x5c0 block/blk-mq.c:1839 blkmqrunhwqueue+0x18d/0x350 block/blk-mq.c:1891 blkmqschedinsertrequest+0x3db/0x4e0 block/blk-mq-sched.c:474 blkexecuterqnowait+0x16b/0x1c0 block/blk-exec.c:63 sgcommonwrite.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sgnewwrite.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sgioctlcommon+0x14d6/0x2710 drivers/scsi/sg.c:941 sgioctl+0xa2/0x180 drivers/scsi/sg.c:1166 _x64sysioctl+0x19d/0x220 fs/ioctl.c:52 dosyscall64+0x3a/0x80 arch/x86/entry/common.c:50 entrySYSCALL64afterhwframe+0x44/0xae arch/x86/entry/entry64.S:113

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.92-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}