CVE-2021-47580 in Linux
Summary
by MITRE • 06/19/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: scsi_debug: Fix type in min_t to avoid stack OOB
Change min_t() to use type "u32" instead of type "int" to avoid stack out of bounds. With min_t() type "int" the values get sign extended and the larger value gets used causing stack out of bounds.
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707
CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x23/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline]
sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000 fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162 fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline]
resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]
scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/10/2025
The vulnerability CVE-2021-47580 affects the Linux kernel's SCSI debugging module, specifically within the scsi_debug driver implementation. This issue stems from an incorrect type specification in the min_t() macro usage, which leads to improper handling of unsigned 32-bit values during stack memory operations. The flaw manifests when the kernel processes SCSI debug commands through the scatter-gather interface, where the use of signed integer types instead of unsigned 32-bit types causes sign extension behavior that can result in stack buffer overflows. The vulnerability is classified under CWE-129 as an Improper Validation of Array Index, and it directly relates to improper handling of memory boundaries in kernel space operations. The specific manifestation occurs in the sg_copy_buffer function within lib/scatterlist.c, where the memcpy operation attempts to copy data beyond the allocated stack buffer boundaries.
The technical root cause involves the min_t() macro which is designed to return the minimum of two values while preserving the type of the first argument. When this macro is used with signed integer types, particularly in contexts where unsigned 32-bit values are expected, the sign extension process causes larger values to be incorrectly selected, leading to oversized buffer operations. The stack overflow occurs because the kernel's memory sanitizer (KASAN) detects that a read operation attempts to access 127 bytes beyond the allocated buffer address ff ff888072607128, which represents an out-of-bounds memory access pattern. The call trace demonstrates the execution path through the SCSI debugging subsystem, starting from the scsi_debug_queuecommand function that handles SCSI command queuing, through the scatter-gather buffer management, and finally to the sg_copy_buffer function where the overflow occurs.
The operational impact of this vulnerability is significant as it can lead to kernel memory corruption and potential system instability or exploitation. Attackers who can control SCSI debug operations or have access to the scsi_debug device interface could potentially leverage this flaw to execute arbitrary code in kernel space, bypassing kernel memory protection mechanisms. The vulnerability affects systems running Linux kernel versions prior to the fix, particularly those utilizing the scsi_debug kernel module for debugging or testing purposes. This type of vulnerability falls under ATT&CK technique T1068 which covers Exploitation for Privilege Escalation, and T1547.001 which covers Registry Run Keys / Startup Folder. The security implications extend beyond simple memory corruption as the flaw could enable attackers to escalate privileges or cause denial of service conditions that may persist until system reboot.
Mitigation strategies for this vulnerability involve applying the official kernel patch that corrects the min_t() macro usage by explicitly specifying the u32 type instead of int. System administrators should ensure all Linux systems running kernel versions affected by this vulnerability are updated with the latest security patches. Additionally, disabling the scsi_debug kernel module when not actively needed provides a temporary workaround, though this may impact debugging capabilities for legitimate users. The fix addresses the core issue by ensuring proper unsigned 32-bit type handling in the buffer size calculations, preventing the sign extension behavior that caused the overflow condition. Regular kernel security updates and monitoring for similar type-related vulnerabilities in kernel subsystems remain crucial for maintaining system security posture. Organizations should also consider implementing kernel memory protection mechanisms and monitoring for suspicious kernel memory access patterns that could indicate exploitation attempts.