CVE-2021-47580: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix type in min_t to avoid stack OOB Change min_t() to use type "u32" instead of type "int" to avoid stack out of bounds. With min_t() type "int" the values get sign extended and the larger value gets used causing stack out of bounds. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707 CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x23/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000 fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162 fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline] resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI Analysis
Technical Summary
CVE-2021-47580 is a vulnerability identified in the Linux kernel's SCSI debug driver (scsi_debug). The root cause lies in the misuse of the min_t() macro, which was originally using the "int" type instead of "u32" (unsigned 32-bit integer). This type mismatch leads to sign extension issues where larger values are incorrectly interpreted, causing a stack out-of-bounds (OOB) condition. Specifically, the vulnerability manifests as a stack buffer overflow during memory copy operations within the SCSI debug driver, as evidenced by kernel address sanitizer (KASAN) reports indicating stack-out-of-bounds reads in memcpy calls. The stack OOB can corrupt kernel memory, potentially leading to system instability, crashes (denial of service), or escalation of privileges if exploited. The vulnerability requires local privileges (low complexity) and no user interaction, but it does require some level of access (PR:L) to the system. The CVSS v3.1 score is 6.6 (medium severity), reflecting a high impact on confidentiality, limited impact on integrity, and limited impact on availability. The vulnerability affects Linux kernel versions containing the faulty scsi_debug driver code prior to the patch that changes min_t() to use the correct unsigned type. The scsi_debug driver is primarily used for testing and debugging SCSI subsystems, but it is present in many Linux distributions and environments, including virtualized and containerized setups. Exploitation could allow an attacker with local access to cause kernel memory corruption, potentially leading to privilege escalation or denial of service. No known exploits are currently reported in the wild. The vulnerability was published on June 19, 2024, and has been addressed by correcting the type used in min_t() to prevent stack OOB conditions.
Potential Impact
For European organizations, the impact of CVE-2021-47580 depends on the deployment of Linux systems running vulnerable kernel versions with the scsi_debug driver enabled. Many enterprises, research institutions, and cloud providers in Europe use Linux extensively, including kernels with scsi_debug for testing or development environments. If exploited, this vulnerability could allow a local attacker to corrupt kernel memory, potentially leading to privilege escalation or denial of service. This could compromise confidentiality by exposing sensitive kernel memory contents, impact system integrity by corrupting kernel data structures, and affect availability through crashes. Organizations running virtualized environments or development/test servers with scsi_debug enabled are particularly at risk. While the vulnerability requires local access, insider threats or attackers who gain initial footholds could leverage this flaw to escalate privileges and move laterally within networks. This elevates the risk profile for critical infrastructure, financial institutions, and government agencies in Europe that rely on Linux-based systems. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. The medium severity rating suggests that while not the highest priority, timely patching is important to maintain system security and stability.
Mitigation Recommendations
1. Apply Kernel Updates: Immediately update Linux kernels to versions where the scsi_debug driver has been patched to fix the min_t() type usage. Use vendor-provided or distribution-specific kernel updates to ensure official patches are applied. 2. Disable scsi_debug Driver: If scsi_debug is not required in production or critical environments, disable or blacklist the module to eliminate the attack surface. 3. Restrict Local Access: Enforce strict access controls and user privilege management to limit who can execute code or commands on affected Linux hosts, reducing the risk of local exploitation. 4. Monitor Kernel Logs: Implement monitoring for kernel warnings or KASAN reports that could indicate attempts to exploit stack OOB conditions or memory corruption. 5. Harden Development/Test Environments: Since scsi_debug is often used in testing, ensure these environments are isolated from production networks and have limited user access. 6. Use Security Modules: Employ Linux Security Modules (e.g., SELinux, AppArmor) to restrict the capabilities of processes that might interact with SCSI devices or the scsi_debug driver. 7. Incident Response Preparedness: Prepare for potential exploitation by having incident detection and response plans focused on kernel-level anomalies and privilege escalation attempts. These mitigations go beyond generic advice by focusing on the specific driver and usage context of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2021-47580: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix type in min_t to avoid stack OOB Change min_t() to use type "u32" instead of type "int" to avoid stack out of bounds. With min_t() type "int" the values get sign extended and the larger value gets used causing stack out of bounds. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707 CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x23/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000 fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162 fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline] resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
AI-Powered Analysis
Technical Analysis
CVE-2021-47580 is a vulnerability identified in the Linux kernel's SCSI debug driver (scsi_debug). The root cause lies in the misuse of the min_t() macro, which was originally using the "int" type instead of "u32" (unsigned 32-bit integer). This type mismatch leads to sign extension issues where larger values are incorrectly interpreted, causing a stack out-of-bounds (OOB) condition. Specifically, the vulnerability manifests as a stack buffer overflow during memory copy operations within the SCSI debug driver, as evidenced by kernel address sanitizer (KASAN) reports indicating stack-out-of-bounds reads in memcpy calls. The stack OOB can corrupt kernel memory, potentially leading to system instability, crashes (denial of service), or escalation of privileges if exploited. The vulnerability requires local privileges (low complexity) and no user interaction, but it does require some level of access (PR:L) to the system. The CVSS v3.1 score is 6.6 (medium severity), reflecting a high impact on confidentiality, limited impact on integrity, and limited impact on availability. The vulnerability affects Linux kernel versions containing the faulty scsi_debug driver code prior to the patch that changes min_t() to use the correct unsigned type. The scsi_debug driver is primarily used for testing and debugging SCSI subsystems, but it is present in many Linux distributions and environments, including virtualized and containerized setups. Exploitation could allow an attacker with local access to cause kernel memory corruption, potentially leading to privilege escalation or denial of service. No known exploits are currently reported in the wild. The vulnerability was published on June 19, 2024, and has been addressed by correcting the type used in min_t() to prevent stack OOB conditions.
Potential Impact
For European organizations, the impact of CVE-2021-47580 depends on the deployment of Linux systems running vulnerable kernel versions with the scsi_debug driver enabled. Many enterprises, research institutions, and cloud providers in Europe use Linux extensively, including kernels with scsi_debug for testing or development environments. If exploited, this vulnerability could allow a local attacker to corrupt kernel memory, potentially leading to privilege escalation or denial of service. This could compromise confidentiality by exposing sensitive kernel memory contents, impact system integrity by corrupting kernel data structures, and affect availability through crashes. Organizations running virtualized environments or development/test servers with scsi_debug enabled are particularly at risk. While the vulnerability requires local access, insider threats or attackers who gain initial footholds could leverage this flaw to escalate privileges and move laterally within networks. This elevates the risk profile for critical infrastructure, financial institutions, and government agencies in Europe that rely on Linux-based systems. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. The medium severity rating suggests that while not the highest priority, timely patching is important to maintain system security and stability.
Mitigation Recommendations
1. Apply Kernel Updates: Immediately update Linux kernels to versions where the scsi_debug driver has been patched to fix the min_t() type usage. Use vendor-provided or distribution-specific kernel updates to ensure official patches are applied. 2. Disable scsi_debug Driver: If scsi_debug is not required in production or critical environments, disable or blacklist the module to eliminate the attack surface. 3. Restrict Local Access: Enforce strict access controls and user privilege management to limit who can execute code or commands on affected Linux hosts, reducing the risk of local exploitation. 4. Monitor Kernel Logs: Implement monitoring for kernel warnings or KASAN reports that could indicate attempts to exploit stack OOB conditions or memory corruption. 5. Harden Development/Test Environments: Since scsi_debug is often used in testing, ensure these environments are isolated from production networks and have limited user access. 6. Use Security Modules: Employ Linux Security Modules (e.g., SELinux, AppArmor) to restrict the capabilities of processes that might interact with SCSI devices or the scsi_debug driver. 7. Incident Response Preparedness: Prepare for potential exploitation by having incident detection and response plans focused on kernel-level anomalies and privilege escalation attempts. These mitigations go beyond generic advice by focusing on the specific driver and usage context of the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.730Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9500
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:56:13 PM
Last updated: 8/14/2025, 5:46:51 PM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.