In the Linux kernel, the following vulnerability has been resolved: scsi:
scsi_debug: Fix out-of-bound read in resp_readcap16() The following warning
was observed running syzkaller: [ 3813.830724] sg_write: data in/out
65466/242 bytes for SCSI command 0x9e-- guessing data in; [ 3813.830724]
program syz-executor not setting count and/or reply_len properly [
3813.836956]
================================================================== [
3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0
[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task
syz-executor/1549 [ 3813.846612] Call Trace: [ 3813.846995]
dump_stack+0x108/0x15f [ 3813.847524] print_address_description+0xa5/0x372
[ 3813.848243] kasan_report.cold+0x236/0x2a8 [ 3813.849439]
check_memory_region+0x240/0x270 [ 3813.850094] memcpy+0x30/0x80 [
3813.850553] sg_copy_buffer+0x157/0x1e0 [ 3813.853032]
sg_copy_from_buffer+0x13/0x20 [ 3813.853660]
fill_from_dev_buffer+0x135/0x370 [ 3813.854329] resp_readcap16+0x1ac/0x280
[ 3813.856917] schedule_resp+0x41f/0x1630 [ 3813.858203]
scsi_debug_queuecommand+0xb32/0x17e0 [ 3813.862699]
scsi_dispatch_cmd+0x330/0x950 [ 3813.863329] scsi_request_fn+0xd8e/0x1710 [
3813.863946] __blk_run_queue+0x10b/0x230 [ 3813.864544]
blk_execute_rq_nowait+0x1d8/0x400 [ 3813.865220]
sg_common_write.isra.0+0xe61/0x2420 [ 3813.871637] sg_write+0x6c8/0xef0 [
3813.878853] __vfs_write+0xe4/0x800 [ 3813.883487] vfs_write+0x17b/0x530 [
3813.884008] ksys_write+0x103/0x270 [ 3813.886268]
__x64_sys_write+0x77/0xc0 [ 3813.886841] do_syscall_64+0x106/0x360 [
3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9 This issue can be
reproduced with the following syzkaller log: r0 =
openat(0xffffffffffffff9c, &(0x7f0000000040)=‘./file0\x00’, 0x26e1, 0x0) r1
= syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)=‘fd/3\x00’)
open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000) r2 =
syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782) write$binfmt_aout(r2,
&(0x7f0000000340)=ANY=[@ANYBLOB=“00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d”],
0x126) In resp_readcap16() we get “int alloc_len” value -1104926854, and
then pass the huge arr_len to fill_from_dev_buffer(), but arr is only 32
bytes. This leads to OOB in sg_copy_buffer(). To solve this issue, define
alloc_len as u32.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-bluefield | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gcp | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gkeop | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-ibm | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-iot | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-kvm | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-oracle | < any | UNKNOWN |
git.kernel.org/linus/4e3ace0051e7e504b55d239daab8789dd89b863c (5.16-rc1)
git.kernel.org/stable/c/3e20cb072679bdb47747ccc8bee3233a4cf0765a
git.kernel.org/stable/c/4e3ace0051e7e504b55d239daab8789dd89b863c
git.kernel.org/stable/c/5b8bed6464ad6653586e30df046185fd816ad999
launchpad.net/bugs/cve/CVE-2021-47191
nvd.nist.gov/vuln/detail/CVE-2021-47191
security-tracker.debian.org/tracker/CVE-2021-47191
www.cve.org/CVERecord?id=CVE-2021-47191