CVE-2021-47191: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix out-of-bound read in resp_readcap16() The following warning was observed running syzkaller: [ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in; [ 3813.830724] program syz-executor not setting count and/or reply_len properly [ 3813.836956] ================================================================== [ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0 [ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549 [ 3813.846612] Call Trace: [ 3813.846995] dump_stack+0x108/0x15f [ 3813.847524] print_address_description+0xa5/0x372 [ 3813.848243] kasan_report.cold+0x236/0x2a8 [ 3813.849439] check_memory_region+0x240/0x270 [ 3813.850094] memcpy+0x30/0x80 [ 3813.850553] sg_copy_buffer+0x157/0x1e0 [ 3813.853032] sg_copy_from_buffer+0x13/0x20 [ 3813.853660] fill_from_dev_buffer+0x135/0x370 [ 3813.854329] resp_readcap16+0x1ac/0x280 [ 3813.856917] schedule_resp+0x41f/0x1630 [ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0 [ 3813.862699] scsi_dispatch_cmd+0x330/0x950 [ 3813.863329] scsi_request_fn+0xd8e/0x1710 [ 3813.863946] __blk_run_queue+0x10b/0x230 [ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400 [ 3813.865220] sg_common_write.isra.0+0xe61/0x2420 [ 3813.871637] sg_write+0x6c8/0xef0 [ 3813.878853] __vfs_write+0xe4/0x800 [ 3813.883487] vfs_write+0x17b/0x530 [ 3813.884008] ksys_write+0x103/0x270 [ 3813.886268] __x64_sys_write+0x77/0xc0 [ 3813.886841] do_syscall_64+0x106/0x360 [ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9 This issue can be reproduced with the following syzkaller log: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00') open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000) r2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782) write$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126) In resp_readcap16() we get "int alloc_len" value -1104926854, and then pass the huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This leads to OOB in sg_copy_buffer(). To solve this issue, define alloc_len as u32.
AI Analysis
Technical Summary
CVE-2021-47191 is a vulnerability identified in the Linux kernel's SCSI debug driver (scsi_debug), specifically in the resp_readcap16() function. The issue arises due to an out-of-bounds (OOB) read caused by improper handling of the alloc_len variable, which is incorrectly defined as a signed integer (int) rather than an unsigned 32-bit integer (u32). This misdefinition leads to a negative or extremely large value being interpreted as the length of data to be copied, resulting in an out-of-bounds read in the sg_copy_buffer() function. The vulnerability was discovered through fuzz testing with syzkaller, which generated kernel warnings and KASAN (Kernel Address Sanitizer) reports indicating stack-out-of-bounds reads. The root cause is that resp_readcap16() calculates an alloc_len value that can be negative (e.g., -1104926854), which is then passed as a large unsigned value to fill_from_dev_buffer(), causing it to read beyond the allocated buffer size (only 32 bytes). This can lead to kernel memory corruption or information disclosure. The vulnerability affects the Linux kernel versions containing the faulty commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) and was publicly disclosed in April 2024. The fix involves redefining alloc_len as an unsigned 32-bit integer to prevent negative values and ensure proper bounds checking. No known exploits are reported in the wild, and the vulnerability requires local code execution or kernel interaction, typically through the scsi_debug driver interface, which is often used for testing and development rather than production environments.
Potential Impact
For European organizations, the impact of CVE-2021-47191 depends largely on the deployment of vulnerable Linux kernels with the scsi_debug driver enabled. While scsi_debug is primarily a testing and development driver, some environments may have it enabled for diagnostic or virtualization purposes. Exploitation could lead to kernel memory corruption, causing system instability, crashes, or potential information disclosure. This could disrupt critical infrastructure, especially in sectors relying on Linux-based servers and embedded systems. Although no known exploits exist in the wild, the vulnerability could be leveraged by attackers with local access or through compromised containers or virtual machines to escalate privileges or cause denial of service. European organizations with high reliance on Linux servers, cloud infrastructure, or embedded Linux devices should consider this vulnerability seriously, particularly those in finance, telecommunications, manufacturing, and government sectors where system availability and data integrity are paramount.
Mitigation Recommendations
1. Apply the official Linux kernel patches that redefine alloc_len as u32 in the scsi_debug driver to eliminate the out-of-bounds read. 2. Audit and disable the scsi_debug driver on production systems unless explicitly required for testing or diagnostics. 3. Implement strict access controls to limit local user access to systems running vulnerable kernels, reducing the risk of exploitation. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other runtime protections to detect and prevent memory corruption. 5. Monitor kernel logs for unusual SCSI debug driver activity or kernel warnings indicative of exploitation attempts. 6. For virtualized environments, ensure hypervisor and guest OS isolation to prevent lateral movement if the vulnerability is exploited within a guest. 7. Regularly update Linux distributions to incorporate security patches promptly, especially for kernels used in critical infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47191: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix out-of-bound read in resp_readcap16() The following warning was observed running syzkaller: [ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in; [ 3813.830724] program syz-executor not setting count and/or reply_len properly [ 3813.836956] ================================================================== [ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0 [ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549 [ 3813.846612] Call Trace: [ 3813.846995] dump_stack+0x108/0x15f [ 3813.847524] print_address_description+0xa5/0x372 [ 3813.848243] kasan_report.cold+0x236/0x2a8 [ 3813.849439] check_memory_region+0x240/0x270 [ 3813.850094] memcpy+0x30/0x80 [ 3813.850553] sg_copy_buffer+0x157/0x1e0 [ 3813.853032] sg_copy_from_buffer+0x13/0x20 [ 3813.853660] fill_from_dev_buffer+0x135/0x370 [ 3813.854329] resp_readcap16+0x1ac/0x280 [ 3813.856917] schedule_resp+0x41f/0x1630 [ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0 [ 3813.862699] scsi_dispatch_cmd+0x330/0x950 [ 3813.863329] scsi_request_fn+0xd8e/0x1710 [ 3813.863946] __blk_run_queue+0x10b/0x230 [ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400 [ 3813.865220] sg_common_write.isra.0+0xe61/0x2420 [ 3813.871637] sg_write+0x6c8/0xef0 [ 3813.878853] __vfs_write+0xe4/0x800 [ 3813.883487] vfs_write+0x17b/0x530 [ 3813.884008] ksys_write+0x103/0x270 [ 3813.886268] __x64_sys_write+0x77/0xc0 [ 3813.886841] do_syscall_64+0x106/0x360 [ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9 This issue can be reproduced with the following syzkaller log: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00') open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000) r2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782) write$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126) In resp_readcap16() we get "int alloc_len" value -1104926854, and then pass the huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This leads to OOB in sg_copy_buffer(). To solve this issue, define alloc_len as u32.
AI-Powered Analysis
Technical Analysis
CVE-2021-47191 is a vulnerability identified in the Linux kernel's SCSI debug driver (scsi_debug), specifically in the resp_readcap16() function. The issue arises due to an out-of-bounds (OOB) read caused by improper handling of the alloc_len variable, which is incorrectly defined as a signed integer (int) rather than an unsigned 32-bit integer (u32). This misdefinition leads to a negative or extremely large value being interpreted as the length of data to be copied, resulting in an out-of-bounds read in the sg_copy_buffer() function. The vulnerability was discovered through fuzz testing with syzkaller, which generated kernel warnings and KASAN (Kernel Address Sanitizer) reports indicating stack-out-of-bounds reads. The root cause is that resp_readcap16() calculates an alloc_len value that can be negative (e.g., -1104926854), which is then passed as a large unsigned value to fill_from_dev_buffer(), causing it to read beyond the allocated buffer size (only 32 bytes). This can lead to kernel memory corruption or information disclosure. The vulnerability affects the Linux kernel versions containing the faulty commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) and was publicly disclosed in April 2024. The fix involves redefining alloc_len as an unsigned 32-bit integer to prevent negative values and ensure proper bounds checking. No known exploits are reported in the wild, and the vulnerability requires local code execution or kernel interaction, typically through the scsi_debug driver interface, which is often used for testing and development rather than production environments.
Potential Impact
For European organizations, the impact of CVE-2021-47191 depends largely on the deployment of vulnerable Linux kernels with the scsi_debug driver enabled. While scsi_debug is primarily a testing and development driver, some environments may have it enabled for diagnostic or virtualization purposes. Exploitation could lead to kernel memory corruption, causing system instability, crashes, or potential information disclosure. This could disrupt critical infrastructure, especially in sectors relying on Linux-based servers and embedded systems. Although no known exploits exist in the wild, the vulnerability could be leveraged by attackers with local access or through compromised containers or virtual machines to escalate privileges or cause denial of service. European organizations with high reliance on Linux servers, cloud infrastructure, or embedded Linux devices should consider this vulnerability seriously, particularly those in finance, telecommunications, manufacturing, and government sectors where system availability and data integrity are paramount.
Mitigation Recommendations
1. Apply the official Linux kernel patches that redefine alloc_len as u32 in the scsi_debug driver to eliminate the out-of-bounds read. 2. Audit and disable the scsi_debug driver on production systems unless explicitly required for testing or diagnostics. 3. Implement strict access controls to limit local user access to systems running vulnerable kernels, reducing the risk of exploitation. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) and other runtime protections to detect and prevent memory corruption. 5. Monitor kernel logs for unusual SCSI debug driver activity or kernel warnings indicative of exploitation attempts. 6. For virtualized environments, ensure hypervisor and guest OS isolation to prevent lateral movement if the vulnerability is exploited within a guest. 7. Regularly update Linux distributions to incorporate security patches promptly, especially for kernels used in critical infrastructure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-25T09:12:14.113Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea001
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 5:50:54 PM
Last updated: 8/15/2025, 8:57:14 PM
Views: 15
Related Threats
CVE-2025-8898: CWE-862 Missing Authorization in magepeopleteam E-cab Taxi Booking Manager for Woocommerce
CriticalCVE-2025-8896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
MediumCVE-2025-8089: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mdempfle Advanced iFrame
MediumCVE-2025-8113: CWE-79 Cross-Site Scripting (XSS) in Ebook Store
MediumCVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.