CVE-2021-47182— scsi: core: Fix scsi_mode_sense() buffer length handling
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-47182
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
scsi: core: Fix scsi_mode_sense() buffer length handling
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix scsi_mode_sense() buffer length handling Several problems exist with scsi_mode_sense() buffer length handling: 1) The allocation length field of the MODE SENSE(10) command is 16-bits, occupying bytes 7 and 8 of the CDB. With this command, access to mode pages larger than 255 bytes is thus possible. However, the CDB allocation length field is set by assigning len to byte 8 only, thus truncating buffer length larger than 255. 2) If scsi_mode_sense() is called with len smaller than 8 with sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length is increased to 8 and 4 respectively, and the buffer is zero filled with these increased values, thus corrupting the memory following the buffer. Fix these 2 problems by using put_unaligned_be16() to set the allocation length field of MODE SENSE(10) CDB and by returning an error when len is too small. Furthermore, if len is larger than 255B, always try MODE SENSE(10) first, even if the device driver did not set sdev->use_10_for_ms. In case of invalid opcode error for MODE SENSE(10), access to mode pages larger than 255 bytes are not retried using MODE SENSE(6). To avoid buffer length overflows for the MODE_SENSE(10) case, check that len is smaller than 65535 bytes. While at it, also fix the folowing: * Use get_unaligned_be16() to retrieve the mode data length and block descriptor length fields of the mode sense reply header instead of using an open coded calculation. * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable Block Descriptor, which is the opposite of what the dbd argument description was.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于函数scsi_mode_sense缓冲区长度处理不当,导致存在安全漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-47182
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-47182
请登录查看更多情报信息。
Same Patch Batch · Linux · 2024-04-10 · 39 CVEs total
| CVE-2021-47210 | usb: typec: tipd: Remove WARN_ON in tps6598x_block_read | |
| CVE-2021-47200 | drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap | |
| CVE-2021-47201 | iavf: free q_vectors before queues in iavf_disable_vf | |
| CVE-2021-47202 | thermal: Fix NULL pointer dereferences in of_thermal_ functions | |
| CVE-2021-47203 | scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() | |
| CVE-2021-47204 | net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove | |
| CVE-2021-47205 | clk: sunxi-ng: Unregister clocks/resets when unbinding | |
| CVE-2021-47206 | usb: host: ohci-tmio: check return value after calling platform_get_resource() | |
| CVE-2021-47207 | ALSA: gus: fix null pointer dereference on pointer block | |
| CVE-2021-47209 | sched/fair: Prevent dead task groups from regaining cfs_rq's | |
| CVE-2021-47199 | net/mlx5e: CT, Fix multiple allocations and memleak of mod acts | |
| CVE-2021-47211 | ALSA: usb-audio: fix null pointer dereference on pointer cs_desc | |
| CVE-2021-47212 | net/mlx5: Update error handler for UCTX and UMEM | |
| CVE-2021-47214 | hugetlb, userfaultfd: fix reservation restore on userfaultfd error | |
| CVE-2021-47215 | net/mlx5e: kTLS, Fix crash in RX resync flow | |
| CVE-2021-47216 | scsi: advansys: Fix kernel pointer leak | |
| CVE-2021-47217 | x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails | |
| CVE-2021-47218 | selinux: fix NULL-pointer dereference when hashtab allocation fails | |
| CVE-2021-47219 | scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() | |
| CVE-2021-47190 | perf bpf: Avoid memory leak from perf_env__insert_btf() |
Showing top 20 of 39 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2021-47182
No comments yet