CVE-2021-47576

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-47576
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47576.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47576
Downstream
Related
Published
2024-06-19T15:15:52.117Z
Modified
2026-03-10T23:51:42.350880Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: scsidebug: Sanity check block descriptor length in respmode_select()

In respmodeselect() sanity check the block descriptor len to avoid UAF.

BUG: KASAN: use-after-free in respmodeselect+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032

CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dumpstacklvl+0x89/0xb5 lib/dumpstack.c:107 printaddressdescription.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasanreport.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asanreportload1_noabort+0x14/0x20 mm/kasan/reportgeneric.c:306 respmodeselect+0xa4c/0xb40 drivers/scsi/scsidebug.c:2509 scheduleresp+0x4af/0x1a10 drivers/scsi/scsidebug.c:5483 scsidebugqueuecommand+0x8c9/0x1e70 drivers/scsi/scsidebug.c:7537 scsiqueuerq+0x16b4/0x2d10 drivers/scsi/scsilib.c:1521 blkmqdispatchrqlist+0xb9b/0x2700 block/blk-mq.c:1640 __blkmqscheddispatchrequests+0x28f/0x590 block/blk-mq-sched.c:325 blkmqscheddispatchrequests+0x105/0x190 block/blk-mq-sched.c:358 __blkmqrunhwqueue+0xe5/0x150 block/blk-mq.c:1762 __blkmqdelay_runhwqueue+0x4f8/0x5c0 block/blk-mq.c:1839 blkmqrunhwqueue+0x18d/0x350 block/blk-mq.c:1891 blkmqschedinsertrequest+0x3db/0x4e0 block/blk-mq-sched.c:474 blkexecuterqnowait+0x16b/0x1c0 block/blk-exec.c:63 sgcommonwrite.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sgnewwrite.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sgioctlcommon+0x14d6/0x2710 drivers/scsi/sg.c:941 sgioctl+0xa2/0x180 drivers/scsi/sg.c:1166 _x64sysioctl+0x19d/0x220 fs/ioctl.c:52 dosyscall64+0x3a/0x80 arch/x86/entry/common.c:50 entrySYSCALL64afterhwframe+0x44/0xae arch/x86/entry/entry64.S:113

References

Affected packages

Git /

Affected ranges

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "4.9.294"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.10"
            },
            {
                "fixed": "4.14.259"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.15"
            },
            {
                "fixed": "4.19.222"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.20"
            },
            {
                "fixed": "5.4.168"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "5.5"
            },
            {
                "fixed": "5.10.88"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "5.11"
            },
            {
                "fixed": "5.15.11"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47576.json"