CVE-2021-47192
Vulnerability from cvelistv5
Published
2024-04-10 18:56
Modified
2024-11-04 20:19
Summary
scsi: core: sysfs: Fix hang when device state is set via sysfs
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-47192",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-10T19:44:37.430694Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T20:19:53.680Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:07.175Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/edd783162bf2385b43de6764f2d4c6e9f4f6be27"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a792e0128d232251edb5fdf42fb0f9fbb0b44a73"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bcc0e3175a976b7fa9a353960808adb0bb49ead8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4edd8cd4e86dd3047e5294bbefcc0a08f66a430f"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/scsi_sysfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "edd783162bf2",
              "status": "affected",
              "version": "69aa1a1a569f",
              "versionType": "git"
            },
            {
              "lessThan": "a792e0128d23",
              "status": "affected",
              "version": "711459514e29",
              "versionType": "git"
            },
            {
              "lessThan": "bcc0e3175a97",
              "status": "affected",
              "version": "f0f82e2476f6",
              "versionType": "git"
            },
            {
              "lessThan": "4edd8cd4e86d",
              "status": "affected",
              "version": "f0f82e2476f6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/scsi_sysfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.82",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: sysfs: Fix hang when device state is set via sysfs\n\nThis fixes a regression added with:\n\ncommit f0f82e2476f6 (\"scsi: core: Fix capacity set to zero after\nofflinining device\")\n\nThe problem is that after iSCSI recovery, iscsid will call into the kernel\nto set the dev\u0027s state to running, and with that patch we now call\nscsi_rescan_device() with the state_mutex held. If the SCSI error handler\nthread is just starting to test the device in scsi_send_eh_cmnd() then it\u0027s\ngoing to try to grab the state_mutex.\n\nWe are then stuck, because when scsi_rescan_device() tries to send its I/O\nscsi_queue_rq() calls -\u003e scsi_host_queue_ready() -\u003e scsi_host_in_recovery()\nwhich will return true (the host state is still in recovery) and I/O will\njust be requeued. scsi_send_eh_cmnd() will then never be able to grab the\nstate_mutex to finish error handling.\n\nTo prevent the deadlock move the rescan-related code to after we drop the\nstate_mutex.\n\nThis also adds a check for if we are already in the running state. This\nprevents extra scans and helps the iscsid case where if the transport class\nhas already onlined the device during its recovery process then we don\u0027t\nneed userspace to do it again plus possibly block that daemon."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:01:14.780Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/edd783162bf2385b43de6764f2d4c6e9f4f6be27"
        },
        {
          "url": "https://git.kernel.org/stable/c/a792e0128d232251edb5fdf42fb0f9fbb0b44a73"
        },
        {
          "url": "https://git.kernel.org/stable/c/bcc0e3175a976b7fa9a353960808adb0bb49ead8"
        },
        {
          "url": "https://git.kernel.org/stable/c/4edd8cd4e86dd3047e5294bbefcc0a08f66a430f"
        }
      ],
      "title": "scsi: core: sysfs: Fix hang when device state is set via sysfs",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47192",
    "datePublished": "2024-04-10T18:56:30.097Z",
    "dateReserved": "2024-03-25T09:12:14.113Z",
    "dateUpdated": "2024-11-04T20:19:53.680Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47192\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-10T19:15:47.710\",\"lastModified\":\"2024-11-04T21:35:00.850\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: sysfs: Fix hang when device state is set via sysfs\\n\\nThis fixes a regression added with:\\n\\ncommit f0f82e2476f6 (\\\"scsi: core: Fix capacity set to zero after\\nofflinining device\\\")\\n\\nThe problem is that after iSCSI recovery, iscsid will call into the kernel\\nto set the dev\u0027s state to running, and with that patch we now call\\nscsi_rescan_device() with the state_mutex held. If the SCSI error handler\\nthread is just starting to test the device in scsi_send_eh_cmnd() then it\u0027s\\ngoing to try to grab the state_mutex.\\n\\nWe are then stuck, because when scsi_rescan_device() tries to send its I/O\\nscsi_queue_rq() calls -\u003e scsi_host_queue_ready() -\u003e scsi_host_in_recovery()\\nwhich will return true (the host state is still in recovery) and I/O will\\njust be requeued. scsi_send_eh_cmnd() will then never be able to grab the\\nstate_mutex to finish error handling.\\n\\nTo prevent the deadlock move the rescan-related code to after we drop the\\nstate_mutex.\\n\\nThis also adds a check for if we are already in the running state. This\\nprevents extra scans and helps the iscsid case where if the transport class\\nhas already onlined the device during its recovery process then we don\u0027t\\nneed userspace to do it again plus possibly block that daemon.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: sysfs: Fix hang when device state is set via sysfs Esto corrige una regresi\u00f3n agregada con: commit f0f82e2476f6 (\\\"scsi: core: Fix capacity set to zero after offlinining device\\\") El problema es que despu\u00e9s de la recuperaci\u00f3n de iSCSI, iscsid llamar\u00e1 al kernel para establecer el estado del dev en running, y con ese parche ahora llamamos a scsi_rescan_device() con el state_mutex retenido. Si el hilo del controlador de errores SCSI est\u00e1 empezando a probar el dispositivo en scsi_send_eh_cmnd() entonces va a intentar capturar el state_mutex. Entonces estamos atascados, porque cuando scsi_rescan_device() intenta enviar su E/S, scsi_queue_rq() llama a -\u0026gt; scsi_host_queue_ready() -\u0026gt; scsi_host_in_recovery() que devolver\u00e1 verdadero (el estado del host todav\u00eda est\u00e1 en recuperaci\u00f3n) y la E/S simplemente se volver\u00e1 a poner en cola. scsi_send_eh_cmnd() nunca podr\u00e1 tomar el state_mutex para finalizar el manejo de errores. Para evitar el punto muerto, mueva el c\u00f3digo relacionado con el rescan a despu\u00e9s de que eliminemos el state_mutex. Esto tambi\u00e9n agrega una verificaci\u00f3n para ver si ya estamos en el estado de ejecuci\u00f3n. Esto evita escaneos adicionales y ayuda al caso iscsid donde si la clase de transporte ya ha puesto en l\u00ednea el dispositivo durante su proceso de recuperaci\u00f3n, entonces no necesitamos espacio de usuario para hacerlo nuevamente y posiblemente bloquear ese daemon.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4edd8cd4e86dd3047e5294bbefcc0a08f66a430f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a792e0128d232251edb5fdf42fb0f9fbb0b44a73\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bcc0e3175a976b7fa9a353960808adb0bb49ead8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/edd783162bf2385b43de6764f2d4c6e9f4f6be27\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.