{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2021-47191",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-03-25T09:12:14.113Z",
        "datePublished": "2024-04-10T18:56:29.455Z",
        "dateUpdated": "2024-08-04T05:32:07.284Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-05-29T05:03:38.345Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix out-of-bound read in resp_readcap16()\n\nThe following warning was observed running syzkaller:\n\n[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;\n[ 3813.830724]    program syz-executor not setting count and/or reply_len properly\n[ 3813.836956] ==================================================================\n[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0\n[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549\n[ 3813.846612] Call Trace:\n[ 3813.846995]  dump_stack+0x108/0x15f\n[ 3813.847524]  print_address_description+0xa5/0x372\n[ 3813.848243]  kasan_report.cold+0x236/0x2a8\n[ 3813.849439]  check_memory_region+0x240/0x270\n[ 3813.850094]  memcpy+0x30/0x80\n[ 3813.850553]  sg_copy_buffer+0x157/0x1e0\n[ 3813.853032]  sg_copy_from_buffer+0x13/0x20\n[ 3813.853660]  fill_from_dev_buffer+0x135/0x370\n[ 3813.854329]  resp_readcap16+0x1ac/0x280\n[ 3813.856917]  schedule_resp+0x41f/0x1630\n[ 3813.858203]  scsi_debug_queuecommand+0xb32/0x17e0\n[ 3813.862699]  scsi_dispatch_cmd+0x330/0x950\n[ 3813.863329]  scsi_request_fn+0xd8e/0x1710\n[ 3813.863946]  __blk_run_queue+0x10b/0x230\n[ 3813.864544]  blk_execute_rq_nowait+0x1d8/0x400\n[ 3813.865220]  sg_common_write.isra.0+0xe61/0x2420\n[ 3813.871637]  sg_write+0x6c8/0xef0\n[ 3813.878853]  __vfs_write+0xe4/0x800\n[ 3813.883487]  vfs_write+0x17b/0x530\n[ 3813.884008]  ksys_write+0x103/0x270\n[ 3813.886268]  __x64_sys_write+0x77/0xc0\n[ 3813.886841]  do_syscall_64+0x106/0x360\n[ 3813.887415]  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThis issue can be reproduced with the following syzkaller log:\n\nr0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x26e1, 0x0)\nr1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\\x00')\nopen_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)\nr2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)\nwrite$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB=\"00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d\"], 0x126)\n\nIn resp_readcap16() we get \"int alloc_len\" value -1104926854, and then pass\nthe huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This\nleads to OOB in sg_copy_buffer().\n\nTo solve this issue, define alloc_len as u32."
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/scsi/scsi_debug.c"
                    ],
                    "versions": [
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "3e20cb072679",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "5b8bed6464ad",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "1da177e4c3f4",
                            "lessThan": "4e3ace0051e7",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/scsi/scsi_debug.c"
                    ],
                    "versions": [
                        {
                            "version": "5.10.82",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.15.5",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.16",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/3e20cb072679bdb47747ccc8bee3233a4cf0765a"
                },
                {
                    "url": "https://git.kernel.org/stable/c/5b8bed6464ad6653586e30df046185fd816ad999"
                },
                {
                    "url": "https://git.kernel.org/stable/c/4e3ace0051e7e504b55d239daab8789dd89b863c"
                }
            ],
            "title": "scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()",
            "x_generator": {
                "engine": "bippy-a5840b7849dd"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "timestamp": "2024-06-17T18:03:54.717932Z",
                                "id": "CVE-2021-47191",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "role": "CISA Coordinator",
                                "version": "2.0.3"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-06-17T18:04:58.134Z"
                }
            },
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-04T05:32:07.284Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/3e20cb072679bdb47747ccc8bee3233a4cf0765a",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/5b8bed6464ad6653586e30df046185fd816ad999",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/4e3ace0051e7e504b55d239daab8789dd89b863c",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            }
        ]
    }
}