CVE-2021-47578: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Don't call kcalloc() if size arg is zero If the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR. Because of that, for a following NULL pointer check to work on the returned pointer, kcalloc() must not be called with the size arg equal to zero. Return early without error before the kcalloc() call if size arg is zero. BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789 CPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x3b/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline] do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline] resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 blk_execute_rq+0xdb/0x360 block/blk-exec.c:102 sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline] scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930 sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2021-47578 is a vulnerability identified in the Linux kernel, specifically within the SCSI debug driver (scsi_debug). The root cause of the vulnerability is improper handling of a zero-size argument passed to the kernel memory allocation function kcalloc(). When kcalloc() is called with a size argument of zero, it returns a special ZERO_SIZE_PTR pointer rather than a NULL pointer. The vulnerable code incorrectly assumes that a NULL pointer will be returned and performs a NULL pointer check to validate the allocation. This logic flaw leads to a null pointer dereference during subsequent memory operations, such as memcpy(), which can cause a kernel crash (BUG) or potentially lead to more severe consequences depending on the context of exploitation. The vulnerability manifests as a null pointer dereference detected by Kernel Address Sanitizer (KASAN) in functions related to scatter-gather list copying (sg_copy_buffer) and SCSI debug command processing (scsi_debug_queuecommand). The issue arises because the code does not return early when the size argument is zero, leading to unsafe memory operations on the ZERO_SIZE_PTR. This vulnerability affects Linux kernel versions including 5.15.0-syzk and likely others with similar scsi_debug driver implementations. The vulnerability is classified as a kernel bug that can cause system instability or denial of service due to kernel crashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned. The fix involves adding an early return before calling kcalloc() if the size argument is zero, preventing the unsafe memory operation and subsequent null pointer dereference.
Potential Impact
For European organizations relying on Linux-based systems, especially those using the scsi_debug driver for testing or emulation of SCSI devices, this vulnerability poses a risk of kernel crashes leading to denial of service (DoS). While the scsi_debug driver is primarily used for debugging and testing rather than production workloads, the underlying issue highlights a kernel memory management flaw that could be exploited in certain scenarios to disrupt system availability. Organizations running virtualized environments or development/testing platforms with affected kernel versions may experience system instability or crashes if this vulnerability is triggered. Although no direct evidence of remote exploitation exists, local attackers or malicious processes with access to the vulnerable driver interface could potentially trigger the bug to cause DoS or crash critical systems. This could impact availability of services, especially in environments where Linux kernels are deployed in critical infrastructure, cloud services, or enterprise servers. Confidentiality and integrity impacts are limited as the vulnerability primarily causes a null pointer dereference rather than arbitrary code execution. However, repeated crashes could lead to operational disruptions and increased risk of cascading failures in complex systems. Given the widespread use of Linux in European data centers, cloud providers, and enterprise IT infrastructure, this vulnerability warrants prompt attention to maintain system stability and reliability.
Mitigation Recommendations
European organizations should implement the following specific mitigation steps: 1) Identify and inventory all Linux systems running kernel versions that include the vulnerable scsi_debug driver, particularly those around version 5.15.0 and similar. 2) Apply the official Linux kernel patches that address CVE-2021-47578 as soon as they become available from trusted Linux distributions or kernel maintainers. 3) If immediate patching is not possible, disable or restrict access to the scsi_debug driver module to prevent local users or processes from triggering the vulnerability. This can be done by blacklisting the module or unloading it if not required. 4) Monitor system logs and kernel crash reports for signs of null pointer dereference or KASAN alerts related to scsi_debug or scatterlist operations. 5) For development and testing environments using scsi_debug, ensure strict access controls and limit exposure to untrusted users or processes. 6) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates across all affected Linux systems. 7) Engage with Linux distribution vendors for guidance and updates on backported patches or mitigations specific to enterprise kernel versions. These targeted actions go beyond generic advice by focusing on the specific driver and kernel versions involved, emphasizing access control and monitoring in addition to patching.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2021-47578: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Don't call kcalloc() if size arg is zero If the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR. Because of that, for a following NULL pointer check to work on the returned pointer, kcalloc() must not be called with the size arg equal to zero. Return early without error before the kcalloc() call if size arg is zero. BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789 CPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x3b/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline] do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline] resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 blk_execute_rq+0xdb/0x360 block/blk-exec.c:102 sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline] scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930 sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2021-47578 is a vulnerability identified in the Linux kernel, specifically within the SCSI debug driver (scsi_debug). The root cause of the vulnerability is improper handling of a zero-size argument passed to the kernel memory allocation function kcalloc(). When kcalloc() is called with a size argument of zero, it returns a special ZERO_SIZE_PTR pointer rather than a NULL pointer. The vulnerable code incorrectly assumes that a NULL pointer will be returned and performs a NULL pointer check to validate the allocation. This logic flaw leads to a null pointer dereference during subsequent memory operations, such as memcpy(), which can cause a kernel crash (BUG) or potentially lead to more severe consequences depending on the context of exploitation. The vulnerability manifests as a null pointer dereference detected by Kernel Address Sanitizer (KASAN) in functions related to scatter-gather list copying (sg_copy_buffer) and SCSI debug command processing (scsi_debug_queuecommand). The issue arises because the code does not return early when the size argument is zero, leading to unsafe memory operations on the ZERO_SIZE_PTR. This vulnerability affects Linux kernel versions including 5.15.0-syzk and likely others with similar scsi_debug driver implementations. The vulnerability is classified as a kernel bug that can cause system instability or denial of service due to kernel crashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned. The fix involves adding an early return before calling kcalloc() if the size argument is zero, preventing the unsafe memory operation and subsequent null pointer dereference.
Potential Impact
For European organizations relying on Linux-based systems, especially those using the scsi_debug driver for testing or emulation of SCSI devices, this vulnerability poses a risk of kernel crashes leading to denial of service (DoS). While the scsi_debug driver is primarily used for debugging and testing rather than production workloads, the underlying issue highlights a kernel memory management flaw that could be exploited in certain scenarios to disrupt system availability. Organizations running virtualized environments or development/testing platforms with affected kernel versions may experience system instability or crashes if this vulnerability is triggered. Although no direct evidence of remote exploitation exists, local attackers or malicious processes with access to the vulnerable driver interface could potentially trigger the bug to cause DoS or crash critical systems. This could impact availability of services, especially in environments where Linux kernels are deployed in critical infrastructure, cloud services, or enterprise servers. Confidentiality and integrity impacts are limited as the vulnerability primarily causes a null pointer dereference rather than arbitrary code execution. However, repeated crashes could lead to operational disruptions and increased risk of cascading failures in complex systems. Given the widespread use of Linux in European data centers, cloud providers, and enterprise IT infrastructure, this vulnerability warrants prompt attention to maintain system stability and reliability.
Mitigation Recommendations
European organizations should implement the following specific mitigation steps: 1) Identify and inventory all Linux systems running kernel versions that include the vulnerable scsi_debug driver, particularly those around version 5.15.0 and similar. 2) Apply the official Linux kernel patches that address CVE-2021-47578 as soon as they become available from trusted Linux distributions or kernel maintainers. 3) If immediate patching is not possible, disable or restrict access to the scsi_debug driver module to prevent local users or processes from triggering the vulnerability. This can be done by blacklisting the module or unloading it if not required. 4) Monitor system logs and kernel crash reports for signs of null pointer dereference or KASAN alerts related to scsi_debug or scatterlist operations. 5) For development and testing environments using scsi_debug, ensure strict access controls and limit exposure to untrusted users or processes. 6) Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates across all affected Linux systems. 7) Engage with Linux distribution vendors for guidance and updates on backported patches or mitigations specific to enterprise kernel versions. These targeted actions go beyond generic advice by focusing on the specific driver and kernel versions involved, emphasizing access control and monitoring in addition to patching.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.730Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe94ef
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:55:27 PM
Last updated: 8/12/2025, 8:20:58 AM
Views: 14
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.