{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47182", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-03-25T09:12:14.112Z", "datePublished": "2024-04-10T18:56:23.739Z", "dateUpdated": "2024-12-19T07:36:57.426Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T07:36:57.426Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix scsi_mode_sense() buffer length handling\n\nSeveral problems exist with scsi_mode_sense() buffer length handling:\n\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n occupying bytes 7 and 8 of the CDB. With this command, access to mode\n pages larger than 255 bytes is thus possible. However, the CDB\n allocation length field is set by assigning len to byte 8 only, thus\n truncating buffer length larger than 255.\n\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n is increased to 8 and 4 respectively, and the buffer is zero filled\n with these increased values, thus corrupting the memory following the\n buffer.\n\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\n\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\n\nWhile at it, also fix the folowing:\n\n * Use get_unaligned_be16() to retrieve the mode data length and block\n descriptor length fields of the mode sense reply header instead of using\n an open coded calculation.\n\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n Block Descriptor, which is the opposite of what the dbd argument\n description was."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/scsi_lib.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e15de347faf4a9f494cbd4e9a623d343dc1b5851", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "17b49bcbf8351d3dbe57204468ac34f033ed60bc", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/scsi_lib.c"], "versions": [{"version": "5.15.5", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851"}, {"url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc"}], "title": "scsi: core: Fix scsi_mode_sense() buffer length handling", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.223Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47182", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:50:20.736053Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:41.035Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.223Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47182", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:50:20.736053Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.112Z"}}], "cna": {"title": "scsi: core: Fix scsi_mode_sense() buffer length handling", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "e15de347faf4", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "17b49bcbf835", "versionType": "git"}], "programFiles": ["drivers/scsi/scsi_lib.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.15.5", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16", "versionType": "semver", "lessThanOrEqual": "*"}], "programFiles": ["drivers/scsi/scsi_lib.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851"}, {"url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc"}], "x_generator": {"engine": "bippy-c8e10e5f6187"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix scsi_mode_sense() buffer length handling\n\nSeveral problems exist with scsi_mode_sense() buffer length handling:\n\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n occupying bytes 7 and 8 of the CDB. With this command, access to mode\n pages larger than 255 bytes is thus possible. However, the CDB\n allocation length field is set by assigning len to byte 8 only, thus\n truncating buffer length larger than 255.\n\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n is increased to 8 and 4 respectively, and the buffer is zero filled\n with these increased values, thus corrupting the memory following the\n buffer.\n\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\n\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\n\nWhile at it, also fix the folowing:\n\n * Use get_unaligned_be16() to retrieve the mode data length and block\n descriptor length fields of the mode sense reply header instead of using\n an open coded calculation.\n\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n Block Descriptor, which is the opposite of what the dbd argument\n description was."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T11:36:20.441Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47182", "state": "PUBLISHED", "dateUpdated": "2024-11-04T11:36:20.441Z", "dateReserved": "2024-03-25T09:12:14.112Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-10T18:56:23.739Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2845F69-264B-45BD-B7E7-D12B24338382", "versionEndExcluding": "5.15.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix scsi_mode_sense() buffer length handling\n\nSeveral problems exist with scsi_mode_sense() buffer length handling:\n\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n occupying bytes 7 and 8 of the CDB. With this command, access to mode\n pages larger than 255 bytes is thus possible. However, the CDB\n allocation length field is set by assigning len to byte 8 only, thus\n truncating buffer length larger than 255.\n\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n is increased to 8 and 4 respectively, and the buffer is zero filled\n with these increased values, thus corrupting the memory following the\n buffer.\n\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\n\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\n\nWhile at it, also fix the folowing:\n\n * Use get_unaligned_be16() to retrieve the mode data length and block\n descriptor length fields of the mode sense reply header instead of using\n an open coded calculation.\n\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n Block Descriptor, which is the opposite of what the dbd argument\n description was."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: Fix scsi_mode_sense() buffer length management Existen varios problemas con el manejo de la longitud del b\u00fafer de scsi_mode_sense(): 1) El campo de longitud de asignaci\u00f3n del comando MODE SENSE(10) es de 16 bits y ocupa los bytes 7 y 8 del CDB. Con este comando, es posible acceder a p\u00e1ginas de modo mayores de 255 bytes. Sin embargo, el campo de longitud de asignaci\u00f3n del CDB se establece asignando len solo al byte 8, truncando as\u00ed la longitud del b\u00fafer mayor de 255. 2) Si se llama a scsi_mode_sense() con len menor que 8 con sdev->use_10_for_ms establecido, o menor que 4 en caso contrario, la longitud del b\u00fafer aumenta a 8 y 4 respectivamente, y el b\u00fafer se rellena con ceros con estos valores aumentados, corrompiendo as\u00ed la memoria que sigue al b\u00fafer. Solucione estos 2 problemas usando put_unaligned_be16() para configurar el campo de longitud de asignaci\u00f3n de MODE SENSE(10) CDB y devolviendo un error cuando len sea demasiado peque\u00f1o. Adem\u00e1s, si len es mayor que 255B, siempre intente MODE SENSE(10) primero, incluso si el controlador del dispositivo no configur\u00f3 sdev->use_10_for_ms. En caso de error de c\u00f3digo de operaci\u00f3n no v\u00e1lido para MODE SENSE(10), el acceso a p\u00e1ginas de modo mayores a 255 bytes no se vuelve a intentar usando MODE SENSE(6). Para evitar desbordamientos de longitud de b\u00fafer para el caso de MODE_SENSE(10), verifique que len sea menor a 65535 bytes. Mientras lo hace, tambi\u00e9n solucione lo siguiente: * Use get_unaligned_be16() para recuperar los campos de longitud de datos de modo y longitud de descriptor de bloque del encabezado de respuesta de sentido de modo en lugar de usar un c\u00e1lculo de c\u00f3digo abierto. * Corregir la explicaci\u00f3n del argumento dbd de kdoc: el bit DBD significa Deshabilitar descriptor de bloque, que es lo opuesto a lo que era la descripci\u00f3n del argumento dbd."}], "id": "CVE-2021-47182", "lastModified": "2025-03-21T11:54:05.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-10T19:15:47.243", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: scsi: core: Fix scsi_mode_sense() buffer length handling", "id": "2274627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274627"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-805", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nscsi: core: Fix scsi_mode_sense() buffer length handling\nSeveral problems exist with scsi_mode_sense() buffer length handling:\n1) The allocation length field of the MODE SENSE(10) command is 16-bits,\noccupying bytes 7 and 8 of the CDB. With this command, access to mode\npages larger than 255 bytes is thus possible. However, the CDB\nallocation length field is set by assigning len to byte 8 only, thus\ntruncating buffer length larger than 255.\n2) If scsi_mode_sense() is called with len smaller than 8 with\nsdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\nis increased to 8 and 4 respectively, and the buffer is zero filled\nwith these increased values, thus corrupting the memory following the\nbuffer.\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\nWhile at it, also fix the folowing:\n* Use get_unaligned_be16() to retrieve the mode data length and block\ndescriptor length fields of the mode sense reply header instead of using\nan open coded calculation.\n* Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\nBlock Descriptor, which is the opposite of what the dbd argument\ndescription was."], "name": "CVE-2021-47182", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47182\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47182\nhttps://lore.kernel.org/linux-cve-announce/2024041032-CVE-2021-47182-377e@gregkh/T"], "threat_severity": "Low"}