cve/published/2021/CVE-2021-47219.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47219: scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()

 The following issue was observed running syzkaller:

 BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
 BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
 Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815

 CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
 Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xe4/0x14a lib/dump_stack.c:118
  print_address_description+0x73/0x280 mm/kasan/report.c:253
  kasan_report_error mm/kasan/report.c:352 [inline]
  kasan_report+0x272/0x370 mm/kasan/report.c:410
  memcpy+0x1f/0x50 mm/kasan/kasan.c:302
  memcpy include/linux/string.h:377 [inline]
  sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
  fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021
  resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772
  schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429
  scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835
  scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896
  scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034
  __blk_run_queue_uncond block/blk-core.c:464 [inline]
  __blk_run_queue+0x1a4/0x380 block/blk-core.c:484
  blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78
  sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847
  sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716
  sg_write+0x64/0xa0 drivers/scsi/sg.c:622
  __vfs_write+0xed/0x690 fs/read_write.c:485
 kill_bdev:block_device:00000000e138492c
  vfs_write+0x184/0x4c0 fs/read_write.c:549
  ksys_write+0x107/0x240 fs/read_write.c:599
  do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

 We get 'alen' from command its type is int. If userspace passes a large
 length we will get a negative 'alen'.

 Switch n, alen, and rlen to u32.

 The Linux kernel CVE team has assigned CVE-2021-47219 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.82 with commit 8440377e1a5644779b4c8d013aa2a917f5fc83c3
 	Fixed in 5.15.5 with commit 66523553fa62c7878fc5441dc4e82be71934eb77
 	Fixed in 5.16 with commit f347c26836c270199de1599c3cd466bb7747caa9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47219
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/scsi_debug.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8440377e1a5644779b4c8d013aa2a917f5fc83c3
 	https://git.kernel.org/stable/c/66523553fa62c7878fc5441dc4e82be71934eb77
 	https://git.kernel.org/stable/c/f347c26836c270199de1599c3cd466bb7747caa9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47219: scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()

	The following issue was observed running syzkaller:

	BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
	BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
	Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815

	CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
	Call Trace:
	__dump_stack lib/dump_stack.c:77 [inline]
	dump_stack+0xe4/0x14a lib/dump_stack.c:118
	print_address_description+0x73/0x280 mm/kasan/report.c:253
	kasan_report_error mm/kasan/report.c:352 [inline]
	kasan_report+0x272/0x370 mm/kasan/report.c:410
	memcpy+0x1f/0x50 mm/kasan/kasan.c:302
	memcpy include/linux/string.h:377 [inline]
	sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831
	fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021
	resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772
	schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429
	scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835
	scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896
	scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034
	__blk_run_queue_uncond block/blk-core.c:464 [inline]
	__blk_run_queue+0x1a4/0x380 block/blk-core.c:484
	blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78
	sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847
	sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716
	sg_write+0x64/0xa0 drivers/scsi/sg.c:622
	__vfs_write+0xed/0x690 fs/read_write.c:485
	kill_bdev:block_device:00000000e138492c
	vfs_write+0x184/0x4c0 fs/read_write.c:549
	ksys_write+0x107/0x240 fs/read_write.c:599
	do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293
	entry_SYSCALL_64_after_hwframe+0x49/0xbe

	We get 'alen' from command its type is int. If userspace passes a large
	length we will get a negative 'alen'.

	Switch n, alen, and rlen to u32.

	The Linux kernel CVE team has assigned CVE-2021-47219 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.82 with commit 8440377e1a5644779b4c8d013aa2a917f5fc83c3
	Fixed in 5.15.5 with commit 66523553fa62c7878fc5441dc4e82be71934eb77
	Fixed in 5.16 with commit f347c26836c270199de1599c3cd466bb7747caa9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47219
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/scsi_debug.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8440377e1a5644779b4c8d013aa2a917f5fc83c3
	https://git.kernel.org/stable/c/66523553fa62c7878fc5441dc4e82be71934eb77
	https://git.kernel.org/stable/c/f347c26836c270199de1599c3cd466bb7747caa9