CVE-2021-47182 (GCVE-0-2021-47182)

Vulnerability from cvelistv5 – Published: 2024-04-10 18:56 – Updated: 2026-05-11 13:49
VLAI
Title
scsi: core: Fix scsi_mode_sense() buffer length handling
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix scsi_mode_sense() buffer length handling Several problems exist with scsi_mode_sense() buffer length handling: 1) The allocation length field of the MODE SENSE(10) command is 16-bits, occupying bytes 7 and 8 of the CDB. With this command, access to mode pages larger than 255 bytes is thus possible. However, the CDB allocation length field is set by assigning len to byte 8 only, thus truncating buffer length larger than 255. 2) If scsi_mode_sense() is called with len smaller than 8 with sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length is increased to 8 and 4 respectively, and the buffer is zero filled with these increased values, thus corrupting the memory following the buffer. Fix these 2 problems by using put_unaligned_be16() to set the allocation length field of MODE SENSE(10) CDB and by returning an error when len is too small. Furthermore, if len is larger than 255B, always try MODE SENSE(10) first, even if the device driver did not set sdev->use_10_for_ms. In case of invalid opcode error for MODE SENSE(10), access to mode pages larger than 255 bytes are not retried using MODE SENSE(6). To avoid buffer length overflows for the MODE_SENSE(10) case, check that len is smaller than 65535 bytes. While at it, also fix the folowing: * Use get_unaligned_be16() to retrieve the mode data length and block descriptor length fields of the mode sense reply header instead of using an open coded calculation. * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable Block Descriptor, which is the opposite of what the dbd argument description was.
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e15de347faf4a9f494cbd4e9a623d343dc1b5851 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17b49bcbf8351d3dbe57204468ac34f033ed60bc (git)
Create a notification for this product.
Linux Linux Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.15.5 , ≤ 5.15.* (semver)
Unaffected: 5.16 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:07.223Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47182",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:50:20.736053Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:41.035Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/scsi_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e15de347faf4a9f494cbd4e9a623d343dc1b5851",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "17b49bcbf8351d3dbe57204468ac34f033ed60bc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/scsi_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.5",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix scsi_mode_sense() buffer length handling\n\nSeveral problems exist with scsi_mode_sense() buffer length handling:\n\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\n    pages larger than 255 bytes is thus possible. However, the CDB\n    allocation length field is set by assigning len to byte 8 only, thus\n    truncating buffer length larger than 255.\n\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n    sdev-\u003euse_10_for_ms set, or smaller than 4 otherwise, the buffer length\n    is increased to 8 and 4 respectively, and the buffer is zero filled\n    with these increased values, thus corrupting the memory following the\n    buffer.\n\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\n\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev-\u003euse_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\n\nWhile at it, also fix the folowing:\n\n * Use get_unaligned_be16() to retrieve the mode data length and block\n   descriptor length fields of the mode sense reply header instead of using\n   an open coded calculation.\n\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n   Block Descriptor, which is the opposite of what the dbd argument\n   description was."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T13:49:33.918Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851"
        },
        {
          "url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc"
        }
      ],
      "title": "scsi: core: Fix scsi_mode_sense() buffer length handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47182",
    "datePublished": "2024-04-10T18:56:23.739Z",
    "dateReserved": "2024-03-25T09:12:14.112Z",
    "dateUpdated": "2026-05-11T13:49:33.918Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-47182",
      "date": "2026-06-15",
      "epss": "0.00196",
      "percentile": "0.09434"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix scsi_mode_sense() buffer length handling\\n\\nSeveral problems exist with scsi_mode_sense() buffer length handling:\\n\\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\\n    pages larger than 255 bytes is thus possible. However, the CDB\\n    allocation length field is set by assigning len to byte 8 only, thus\\n    truncating buffer length larger than 255.\\n\\n 2) If scsi_mode_sense() is called with len smaller than 8 with\\n    sdev-\u003euse_10_for_ms set, or smaller than 4 otherwise, the buffer length\\n    is increased to 8 and 4 respectively, and the buffer is zero filled\\n    with these increased values, thus corrupting the memory following the\\n    buffer.\\n\\nFix these 2 problems by using put_unaligned_be16() to set the allocation\\nlength field of MODE SENSE(10) CDB and by returning an error when len is\\ntoo small.\\n\\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\\neven if the device driver did not set sdev-\u003euse_10_for_ms. In case of\\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\\nbytes.\\n\\nWhile at it, also fix the folowing:\\n\\n * Use get_unaligned_be16() to retrieve the mode data length and block\\n   descriptor length fields of the mode sense reply header instead of using\\n   an open coded calculation.\\n\\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\\n   Block Descriptor, which is the opposite of what the dbd argument\\n   description was.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: Fix scsi_mode_sense() buffer length management Existen varios problemas con el manejo de la longitud del b\\u00fafer de scsi_mode_sense(): 1) El campo de longitud de asignaci\\u00f3n del comando MODE SENSE(10) es de 16 bits y ocupa los bytes 7 y 8 del CDB. Con este comando, es posible acceder a p\\u00e1ginas de modo mayores de 255 bytes. Sin embargo, el campo de longitud de asignaci\\u00f3n del CDB se establece asignando len solo al byte 8, truncando as\\u00ed la longitud del b\\u00fafer mayor de 255. 2) Si se llama a scsi_mode_sense() con len menor que 8 con sdev-\u0026gt;use_10_for_ms establecido, o menor que 4 en caso contrario, la longitud del b\\u00fafer aumenta a 8 y 4 respectivamente, y el b\\u00fafer se rellena con ceros con estos valores aumentados, corrompiendo as\\u00ed la memoria que sigue al b\\u00fafer. Solucione estos 2 problemas usando put_unaligned_be16() para configurar el campo de longitud de asignaci\\u00f3n de MODE SENSE(10) CDB y devolviendo un error cuando len sea demasiado peque\\u00f1o. Adem\\u00e1s, si len es mayor que 255B, siempre intente MODE SENSE(10) primero, incluso si el controlador del dispositivo no configur\\u00f3 sdev-\u0026gt;use_10_for_ms. En caso de error de c\\u00f3digo de operaci\\u00f3n no v\\u00e1lido para MODE SENSE(10), el acceso a p\\u00e1ginas de modo mayores a 255 bytes no se vuelve a intentar usando MODE SENSE(6). Para evitar desbordamientos de longitud de b\\u00fafer para el caso de MODE_SENSE(10), verifique que len sea menor a 65535 bytes. Mientras lo hace, tambi\\u00e9n solucione lo siguiente: * Use get_unaligned_be16() para recuperar los campos de longitud de datos de modo y longitud de descriptor de bloque del encabezado de respuesta de sentido de modo en lugar de usar un c\\u00e1lculo de c\\u00f3digo abierto. * Corregir la explicaci\\u00f3n del argumento dbd de kdoc: el bit DBD significa Deshabilitar descriptor de bloque, que es lo opuesto a lo que era la descripci\\u00f3n del argumento dbd.\"}]",
      "id": "CVE-2021-47182",
      "lastModified": "2024-11-21T06:35:34.437",
      "published": "2024-04-10T19:15:47.243",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47182\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-10T19:15:47.243\",\"lastModified\":\"2025-03-21T11:54:05.513\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix scsi_mode_sense() buffer length handling\\n\\nSeveral problems exist with scsi_mode_sense() buffer length handling:\\n\\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\\n    pages larger than 255 bytes is thus possible. However, the CDB\\n    allocation length field is set by assigning len to byte 8 only, thus\\n    truncating buffer length larger than 255.\\n\\n 2) If scsi_mode_sense() is called with len smaller than 8 with\\n    sdev-\u003euse_10_for_ms set, or smaller than 4 otherwise, the buffer length\\n    is increased to 8 and 4 respectively, and the buffer is zero filled\\n    with these increased values, thus corrupting the memory following the\\n    buffer.\\n\\nFix these 2 problems by using put_unaligned_be16() to set the allocation\\nlength field of MODE SENSE(10) CDB and by returning an error when len is\\ntoo small.\\n\\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\\neven if the device driver did not set sdev-\u003euse_10_for_ms. In case of\\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\\nbytes.\\n\\nWhile at it, also fix the folowing:\\n\\n * Use get_unaligned_be16() to retrieve the mode data length and block\\n   descriptor length fields of the mode sense reply header instead of using\\n   an open coded calculation.\\n\\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\\n   Block Descriptor, which is the opposite of what the dbd argument\\n   description was.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: Fix scsi_mode_sense() buffer length management Existen varios problemas con el manejo de la longitud del b\u00fafer de scsi_mode_sense(): 1) El campo de longitud de asignaci\u00f3n del comando MODE SENSE(10) es de 16 bits y ocupa los bytes 7 y 8 del CDB. Con este comando, es posible acceder a p\u00e1ginas de modo mayores de 255 bytes. Sin embargo, el campo de longitud de asignaci\u00f3n del CDB se establece asignando len solo al byte 8, truncando as\u00ed la longitud del b\u00fafer mayor de 255. 2) Si se llama a scsi_mode_sense() con len menor que 8 con sdev-\u0026gt;use_10_for_ms establecido, o menor que 4 en caso contrario, la longitud del b\u00fafer aumenta a 8 y 4 respectivamente, y el b\u00fafer se rellena con ceros con estos valores aumentados, corrompiendo as\u00ed la memoria que sigue al b\u00fafer. Solucione estos 2 problemas usando put_unaligned_be16() para configurar el campo de longitud de asignaci\u00f3n de MODE SENSE(10) CDB y devolviendo un error cuando len sea demasiado peque\u00f1o. Adem\u00e1s, si len es mayor que 255B, siempre intente MODE SENSE(10) primero, incluso si el controlador del dispositivo no configur\u00f3 sdev-\u0026gt;use_10_for_ms. En caso de error de c\u00f3digo de operaci\u00f3n no v\u00e1lido para MODE SENSE(10), el acceso a p\u00e1ginas de modo mayores a 255 bytes no se vuelve a intentar usando MODE SENSE(6). Para evitar desbordamientos de longitud de b\u00fafer para el caso de MODE_SENSE(10), verifique que len sea menor a 65535 bytes. Mientras lo hace, tambi\u00e9n solucione lo siguiente: * Use get_unaligned_be16() para recuperar los campos de longitud de datos de modo y longitud de descriptor de bloque del encabezado de respuesta de sentido de modo en lugar de usar un c\u00e1lculo de c\u00f3digo abierto. * Corregir la explicaci\u00f3n del argumento dbd de kdoc: el bit DBD significa Deshabilitar descriptor de bloque, que es lo opuesto a lo que era la descripci\u00f3n del argumento dbd.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.15.5\",\"matchCriteriaId\":\"B2845F69-264B-45BD-B7E7-D12B24338382\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:32:07.223Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47182\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:50:20.736053Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:18.112Z\"}}], \"cna\": {\"title\": \"scsi: core: Fix scsi_mode_sense() buffer length handling\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"e15de347faf4a9f494cbd4e9a623d343dc1b5851\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"17b49bcbf8351d3dbe57204468ac34f033ed60bc\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/scsi/scsi_lib.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.12\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"2.6.12\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/scsi/scsi_lib.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851\"}, {\"url\": \"https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix scsi_mode_sense() buffer length handling\\n\\nSeveral problems exist with scsi_mode_sense() buffer length handling:\\n\\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\\n    occupying bytes 7 and 8 of the CDB. With this command, access to mode\\n    pages larger than 255 bytes is thus possible. However, the CDB\\n    allocation length field is set by assigning len to byte 8 only, thus\\n    truncating buffer length larger than 255.\\n\\n 2) If scsi_mode_sense() is called with len smaller than 8 with\\n    sdev-\u003euse_10_for_ms set, or smaller than 4 otherwise, the buffer length\\n    is increased to 8 and 4 respectively, and the buffer is zero filled\\n    with these increased values, thus corrupting the memory following the\\n    buffer.\\n\\nFix these 2 problems by using put_unaligned_be16() to set the allocation\\nlength field of MODE SENSE(10) CDB and by returning an error when len is\\ntoo small.\\n\\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\\neven if the device driver did not set sdev-\u003euse_10_for_ms. In case of\\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\\nbytes.\\n\\nWhile at it, also fix the folowing:\\n\\n * Use get_unaligned_be16() to retrieve the mode data length and block\\n   descriptor length fields of the mode sense reply header instead of using\\n   an open coded calculation.\\n\\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\\n   Block Descriptor, which is the opposite of what the dbd argument\\n   description was.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.5\", \"versionStartIncluding\": \"2.6.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.16\", \"versionStartIncluding\": \"2.6.12\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T13:49:33.918Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47182\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T13:49:33.918Z\", \"dateReserved\": \"2024-03-25T09:12:14.112Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-10T18:56:23.739Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.