cve-2021-47578
Vulnerability from cvelistv5
Published
2024-06-19 14:53
Modified
2024-11-04 12:08
Severity ?
Summary
scsi: scsi_debug: Don't call kcalloc() if size arg is zero
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.787Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/aa1f912712a109b6306746133de7e5343f016b26"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/47d11d35203b0aa13533634e270fe2c3610e531b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3344b58b53a76199dae48faa396e9fc37bf86992"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47578",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:12:52.726372Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:53.054Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/scsi_debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aa1f912712a1",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "47d11d35203b",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "3344b58b53a7",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/scsi_debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Don\u0027t call kcalloc() if size arg is zero\n\nIf the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR.  Because of\nthat, for a following NULL pointer check to work on the returned pointer,\nkcalloc() must not be called with the size arg equal to zero. Return early\nwithout error before the kcalloc() call if size arg is zero.\n\nBUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]\nBUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974\nWrite of size 4 at addr 0000000000000010 by task syz-executor.1/22789\n\nCPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1\nHardware name: Red Hat KVM, BIOS 1.13.0-2\nCall Trace:\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\n __kasan_report mm/kasan/report.c:446 [inline]\n kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189\n memcpy+0x3b/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:191 [inline]\n sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974\n do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline]\n do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline]\n resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276\n schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478\n scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533\n scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]\n scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62\n blk_execute_rq+0xdb/0x360 block/blk-exec.c:102\n sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline]\n scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930\n sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl fs/ioctl.c:860 [inline]\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:08:32.046Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aa1f912712a109b6306746133de7e5343f016b26"
        },
        {
          "url": "https://git.kernel.org/stable/c/47d11d35203b0aa13533634e270fe2c3610e531b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3344b58b53a76199dae48faa396e9fc37bf86992"
        }
      ],
      "title": "scsi: scsi_debug: Don\u0027t call kcalloc() if size arg is zero",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47578",
    "datePublished": "2024-06-19T14:53:46.061Z",
    "dateReserved": "2024-05-24T15:11:00.730Z",
    "dateUpdated": "2024-11-04T12:08:32.046Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47578\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-19T15:15:52.320\",\"lastModified\":\"2024-11-21T06:36:35.410\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: scsi_debug: Don\u0027t call kcalloc() if size arg is zero\\n\\nIf the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR.  Because of\\nthat, for a following NULL pointer check to work on the returned pointer,\\nkcalloc() must not be called with the size arg equal to zero. Return early\\nwithout error before the kcalloc() call if size arg is zero.\\n\\nBUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]\\nBUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974\\nWrite of size 4 at addr 0000000000000010 by task syz-executor.1/22789\\n\\nCPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1\\nHardware name: Red Hat KVM, BIOS 1.13.0-2\\nCall Trace:\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\\n __kasan_report mm/kasan/report.c:446 [inline]\\n kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459\\n check_region_inline mm/kasan/generic.c:183 [inline]\\n kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189\\n memcpy+0x3b/0x60 mm/kasan/shadow.c:66\\n memcpy include/linux/fortify-string.h:191 [inline]\\n sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974\\n do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline]\\n do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline]\\n resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276\\n schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478\\n scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533\\n scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]\\n scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699\\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639\\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761\\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838\\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62\\n blk_execute_rq+0xdb/0x360 block/blk-exec.c:102\\n sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline]\\n scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930\\n sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112\\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165\\n vfs_ioctl fs/ioctl.c:51 [inline]\\n __do_sys_ioctl fs/ioctl.c:874 [inline]\\n __se_sys_ioctl fs/ioctl.c:860 [inline]\\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x44/0xae\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: scsi_debug: no llamar a kcalloc() si el tama\u00f1o arg es cero. Si el tama\u00f1o arg de kcalloc() es cero, devuelve ZERO_SIZE_PTR. Por eso, para que una siguiente verificaci\u00f3n de puntero NULL funcione en el puntero devuelto, no se debe llamar a kcalloc() con el tama\u00f1o arg igual a cero. Regrese temprano sin errores antes de la llamada a kcalloc() si el tama\u00f1o arg es cero. ERROR: KASAN: null-ptr-deref en memcpy include/linux/fortify-string.h:191 [en l\u00ednea] ERROR: KASAN: null-ptr-deref en sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 Escritura de tama\u00f1o 4 en la direcci\u00f3n 0000000000000010 por tarea syz-executor.1/22789 CPU: 1 PID: 22789 Comm: syz-executor.1 No contaminado 5.15.0-syzk #1 Nombre del hardware: Red Hat KVM, BIOS 1.13.0-2 Seguimiento de llamadas : __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [en l\u00ednea] kasan_report.cold.14+0x112/0x117 mm/kasan/ report.c:459 check_region_inline mm/kasan/generic.c:183 [en l\u00ednea] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x3b/0x60 mm/kasan/shadow.c:66 memcpy include/linux /fortify-string.h:191 [en l\u00ednea] sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 controladores do_dout_fetch/scsi/scsi_debug.c:2954 [en l\u00ednea] controladores do_dout_fetch/scsi/scsi_debug.c:2946 [en l\u00ednea] resp_verify +0x49e/0x930 controladores/scsi/scsi_debug.c:4276 Schedule_resp+0x4d8/0x1a70 controladores/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 controladores/scsi/scsi_debug.c:7533 controladores scsi_dispatch_cmd/scsi /scsi_lib.c: 1520 [en l\u00ednea] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 lk-mq-sched.c:325 blk_mq_sched_dispatch_requests+ 0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 cola+0x18d/0x350 bloque/negro -mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 blk_execute_rq+0xdb/0x360 block/blk-exec.c:102 sg_scsi_ioctl controladores/scsi/scsi_ioctl.c:621 [en l\u00ednea] scsi_ioctl+0x8bb/0x15c0 controladores/scsi/scsi_ioctl.c:930 sg_ioctl_common+0x172d/0x2710 controladores/scsi/sg.c:1112 sg_ioctl+0xa2/0 controladores x180/scsi/ SG.C: 1165 VFS_IOCTL FS/IOCTL.C: 51 [INLINE] __DO_SYS_IOCTL FS/IOCTL.C: 874 [INLINE] __SE_SYS_IOCTL FS/IOCTL.C: 860 [Inline] __X64_SY 60 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.10.88\",\"matchCriteriaId\":\"28749C54-EB4A-4AEC-AB94-5AE114B972ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.11\",\"matchCriteriaId\":\"11274E95-438A-449A-B100-01B2B0046669\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3344b58b53a76199dae48faa396e9fc37bf86992\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/47d11d35203b0aa13533634e270fe2c3610e531b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aa1f912712a109b6306746133de7e5343f016b26\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3344b58b53a76199dae48faa396e9fc37bf86992\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/47d11d35203b0aa13533634e270fe2c3610e531b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aa1f912712a109b6306746133de7e5343f016b26\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.