DEBIAN-CVE-2021-47191

In the Linux kernel, the following vulnerability has been resolved: scsi: scsidebug: Fix out-of-bound read in respreadcap16() The following warning was observed running syzkaller: [ 3813.830724] sgwrite: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in; [ 3813.830724] program syz-executor not setting count and/or replylen properly [ 3813.836956] ================================================================== [ 3813.839465] BUG: KASAN: stack-out-of-bounds in sgcopybuffer+0x157/0x1e0 [ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549 [ 3813.846612] Call Trace: [ 3813.846995] dumpstack+0x108/0x15f [ 3813.847524] printaddressdescription+0xa5/0x372 [ 3813.848243] kasanreport.cold+0x236/0x2a8 [ 3813.849439] checkmemoryregion+0x240/0x270 [ 3813.850094] memcpy+0x30/0x80 [ 3813.850553] sgcopybuffer+0x157/0x1e0 [ 3813.853032] sgcopyfrombuffer+0x13/0x20 [ 3813.853660] fillfromdevbuffer+0x135/0x370 [ 3813.854329] respreadcap16+0x1ac/0x280 [ 3813.856917] scheduleresp+0x41f/0x1630 [ 3813.858203] scsidebugqueuecommand+0xb32/0x17e0 [ 3813.862699] scsidispatchcmd+0x330/0x950 [ 3813.863329] scsirequestfn+0xd8e/0x1710 [ 3813.863946] __blkrunqueue+0x10b/0x230 [ 3813.864544] blkexecuterqnowait+0x1d8/0x400 [ 3813.865220] sgcommonwrite.isra.0+0xe61/0x2420 [ 3813.871637] sgwrite+0x6c8/0xef0 [ 3813.878853] __vfswrite+0xe4/0x800 [ 3813.883487] vfswrite+0x17b/0x530 [ 3813.884008] ksys_write+0x103/0x270 [ 3813.886268] _x64syswrite+0x77/0xc0 [ 3813.886841] dosyscall64+0x106/0x360 [ 3813.887415] entrySYSCALL64afterhwframe+0x44/0xa9 This issue can be reproduced with the following syzkaller log: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0) r1 = syzopenprocfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00') openbyhandleat(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000) r2 = syzopendev$sg(&(0x7f0000000000), 0x0, 0x40782) write$binfmtaout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126) In respreadcap16() we get "int alloclen" value -1104926854, and then pass the huge arrlen to fillfromdevbuffer(), but arr is only 32 bytes. This leads to OOB in sgcopybuffer(). To solve this issue, define alloclen as u32.