{
  "threat_severity" : "Moderate",
  "public_date" : "2024-06-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: scsi: scsi_debug: Fix type in min_t to avoid stack OOB",
    "id" : "2293249",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2293249"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-843",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nscsi: scsi_debug: Fix type in min_t to avoid stack OOB\nChange min_t() to use type \"u32\" instead of type \"int\" to avoid stack out\nof bounds. With min_t() type \"int\" the values get sign extended and the\nlarger value gets used causing stack out of bounds.\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]\nBUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976\nRead of size 127 at addr ffff888072607128 by task syz-executor.7/18707\nCPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1\nHardware name: Red Hat KVM, BIOS 1.13.0-2\nCall Trace:\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256\n__kasan_report mm/kasan/report.c:442 [inline]\nkasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459\ncheck_region_inline mm/kasan/generic.c:183 [inline]\nkasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189\nmemcpy+0x23/0x60 mm/kasan/shadow.c:65\nmemcpy include/linux/fortify-string.h:191 [inline]\nsg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976\nsg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000\nfill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162\nfill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline]\nresp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887\nschedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478\nscsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533\nscsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]\nscsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699\nblk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639\n__blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\nblk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n__blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761\n__blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838\nblk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\nblk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\nblk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62\nsg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836\nsg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774\nsg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939\nsg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae", "A vulnerability was found in the Linux kernel's SCSI driver, in sg_copy_buffer() function, where an incorrect type in the min_t() macro can lead to a stack out-of-bounds condition. This occurs due to sign extension of larger values, which may result in memory corruption or DoS." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-08T00:00:00Z",
    "advisory" : "RHSA-2022:7444",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-425.3.1.rt7.213.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-08T00:00:00Z",
    "advisory" : "RHSA-2022:7683",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-425.3.1.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:7933",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9::nfv",
    "package" : "kernel-rt-0:5.14.0-162.6.1.rt21.168.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-47580\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47580\nhttps://lore.kernel.org/linux-cve-announce/2024061916-CVE-2021-47580-eac9@gregkh/T" ],
  "name" : "CVE-2021-47580",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}