vulnerability

Ubuntu: (Multiple Advisories) (CVE-2021-47191): Linux kernel vulnerabilities

Severity
6
CVSS
(AV:L/AC:L/Au:S/C:C/I:N/A:C)
Published
Apr 10, 2024
Added
May 8, 2025
Modified
Jun 3, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()

The following warning was observed running syzkaller:

[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;
[ 3813.830724] program syz-executor not setting count and/or reply_len properly
[ 3813.836956] ==================================================================
[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0
[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549
[ 3813.846612] Call Trace:
[ 3813.846995] dump_stack+0x108/0x15f
[ 3813.847524] print_address_description+0xa5/0x372
[ 3813.848243] kasan_report.cold+0x236/0x2a8
[ 3813.849439] check_memory_region+0x240/0x270
[ 3813.850094] memcpy+0x30/0x80
[ 3813.850553] sg_copy_buffer+0x157/0x1e0
[ 3813.853032] sg_copy_from_buffer+0x13/0x20
[ 3813.853660] fill_from_dev_buffer+0x135/0x370
[ 3813.854329] resp_readcap16+0x1ac/0x280
[ 3813.856917] schedule_resp+0x41f/0x1630
[ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0
[ 3813.862699] scsi_dispatch_cmd+0x330/0x950
[ 3813.863329] scsi_request_fn+0xd8e/0x1710
[ 3813.863946] __blk_run_queue+0x10b/0x230
[ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400
[ 3813.865220] sg_common_write.isra.0+0xe61/0x2420
[ 3813.871637] sg_write+0x6c8/0xef0
[ 3813.878853] __vfs_write+0xe4/0x800
[ 3813.883487] vfs_write+0x17b/0x530
[ 3813.884008] ksys_write+0x103/0x270
[ 3813.886268] __x64_sys_write+0x77/0xc0
[ 3813.886841] do_syscall_64+0x106/0x360
[ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9

This issue can be reproduced with the following syzkaller log:

r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0)
r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00')
open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)
r2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)
write$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126)

In resp_readcap16() we get "int alloc_len" value -1104926854, and then pass
the huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This
leads to OOB in sg_copy_buffer().

To solve this issue, define alloc_len as u32.

Solution(s)

ubuntu-upgrade-linux-image-4-15-0-1135-fipsubuntu-upgrade-linux-image-4-15-0-1142-oracleubuntu-upgrade-linux-image-4-15-0-1163-kvmubuntu-upgrade-linux-image-4-15-0-1173-gcpubuntu-upgrade-linux-image-4-15-0-1180-awsubuntu-upgrade-linux-image-4-15-0-1188-azureubuntu-upgrade-linux-image-4-15-0-2081-gcp-fipsubuntu-upgrade-linux-image-4-15-0-2097-azure-fipsubuntu-upgrade-linux-image-4-15-0-2118-aws-fipsubuntu-upgrade-linux-image-4-15-0-237-genericubuntu-upgrade-linux-image-4-15-0-237-lowlatencyubuntu-upgrade-linux-image-4-4-0-1113-fipsubuntu-upgrade-linux-image-4-4-0-1143-awsubuntu-upgrade-linux-image-4-4-0-1144-kvmubuntu-upgrade-linux-image-4-4-0-1181-awsubuntu-upgrade-linux-image-4-4-0-268-genericubuntu-upgrade-linux-image-4-4-0-268-lowlatencyubuntu-upgrade-linux-image-5-4-0-1064-xilinx-zynqmpubuntu-upgrade-linux-image-5-4-0-1092-ibmubuntu-upgrade-linux-image-5-4-0-1105-bluefieldubuntu-upgrade-linux-image-5-4-0-1120-fipsubuntu-upgrade-linux-image-5-4-0-1129-raspiubuntu-upgrade-linux-image-5-4-0-1133-kvmubuntu-upgrade-linux-image-5-4-0-1144-oracleubuntu-upgrade-linux-image-5-4-0-1146-awsubuntu-upgrade-linux-image-5-4-0-1146-aws-fipsubuntu-upgrade-linux-image-5-4-0-1149-gcpubuntu-upgrade-linux-image-5-4-0-1149-gcp-fipsubuntu-upgrade-linux-image-5-4-0-1151-azureubuntu-upgrade-linux-image-5-4-0-1151-azure-fipsubuntu-upgrade-linux-image-5-4-0-216-genericubuntu-upgrade-linux-image-5-4-0-216-generic-lpaeubuntu-upgrade-linux-image-5-4-0-216-lowlatencyubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-fipsubuntu-upgrade-linux-image-aws-hweubuntu-upgrade-linux-image-aws-lts-18-04ubuntu-upgrade-linux-image-aws-lts-20-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-fipsubuntu-upgrade-linux-image-azure-lts-18-04ubuntu-upgrade-linux-image-azure-lts-20-04ubuntu-upgrade-linux-image-bluefieldubuntu-upgrade-linux-image-fipsubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-fipsubuntu-upgrade-linux-image-gcp-lts-18-04ubuntu-upgrade-linux-image-gcp-lts-20-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-hwe-16-04ubuntu-upgrade-linux-image-generic-hwe-18-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-generic-lts-xenialubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-lts-20-04ubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-hwe-16-04ubuntu-upgrade-linux-image-lowlatency-hwe-18-04ubuntu-upgrade-linux-image-lowlatency-lts-xenialubuntu-upgrade-linux-image-oemubuntu-upgrade-linux-image-oem-osp1ubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-lts-18-04ubuntu-upgrade-linux-image-oracle-lts-20-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-hwe-18-04ubuntu-upgrade-linux-image-raspi2ubuntu-upgrade-linux-image-snapdragon-hwe-18-04ubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-hwe-16-04ubuntu-upgrade-linux-image-virtual-hwe-18-04ubuntu-upgrade-linux-image-virtual-lts-xenialubuntu-upgrade-linux-image-xilinx-zynqmp
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.