CVE-2021-47337 (GCVE-0-2021-47337)

Vulnerability from cvelistv5 – Published: 2024-05-21 14:35 – Updated: 2026-05-23 15:19
VLAI
Title
scsi: core: Fix bad pointer dereference when ehandler kthread is invalid
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") changed the allocation logic to call put_device() to perform host cleanup with the assumption that IDA removal and stopping the kthread would properly be performed in scsi_host_dev_release(). However, in the unlikely case that the error handler thread fails to spawn, shost->ehandler is set to ERR_PTR(-ENOMEM). The error handler cleanup code in scsi_host_dev_release() will call kthread_stop() if shost->ehandler != NULL which will always be the case whether the kthread was successfully spawned or not. In the case that it failed to spawn this has the nasty side effect of trying to dereference an invalid pointer when kthread_stop() is called. The following splat provides an example of this behavior in the wild: scsi host11: error handler thread failed to spawn, error = -4 Kernel attempted to read user page (10c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x0000010c Faulting instruction address: 0xc00000000818e9a8 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region hash dm_log dm_mod fuse overlay squashfs loop CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8 REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28228228 XER: 20040001 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000 GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc NIP [c00000000818e9a8] kthread_stop+0x38/0x230 LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160 Call Trace: [c000000033bb2c48] 0xc000000033bb2c48 (unreliable) [c0000000089846e8] scsi_host_dev_release+0x98/0x160 [c00000000891e960] device_release+0x60/0x100 [c0000000087e55c4] kobject_release+0x84/0x210 [c00000000891ec78] put_device+0x28/0x40 [c000000008984ea4] scsi_host_alloc+0x314/0x430 [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi] [c000000008110104] vio_bus_probe+0xa4/0x4b0 [c00000000892a860] really_probe+0x140/0x680 [c00000000892aefc] driver_probe_device+0x15c/0x200 [c00000000892b63c] device_driver_attach+0xcc/0xe0 [c00000000892b740] __driver_attach+0xf0/0x200 [c000000008926f28] bus_for_each_dev+0xa8/0x130 [c000000008929ce4] driver_attach+0x34/0x50 [c000000008928fc0] bus_add_driver+0x1b0/0x300 [c00000000892c798] driver_register+0x98/0x1a0 [c00000000810eb60] __vio_register_driver+0x80/0xe0 [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi] [c0000000080121d0] do_one_initcall+0x60/0x2d0 [c000000008261abc] do_init_module+0x7c/0x320 [c000000008265700] load_module+0x2350/0x25b0 [c000000008265cb4] __do_sys_finit_module+0xd4/0x160 [c000000008031110] system_call_exception+0x150/0x2d0 [c00000000800d35c] system_call_common+0xec/0x278 Fix this be nulling shost->ehandler when the kthread fails to spawn.
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8958181c1663e24a13434448e7d6b96b5d04900a , < d2f0b960d07e52bb664471b4de0ed8b08c636b3a (git)
Affected: db08ce595dd64ea9859f7d088b51cbfc8e685c66 , < f3d0a109240c9bed5c60d819014786be3a2fe515 (git)
Affected: 2dc85045ae65b9302a1d2e2ddd7ce4c030153a6a , < e1bd3fac2baa3d5c04375980c1d5263a3335af92 (git)
Affected: 79296e292d67fa7b5fb8d8c27343683e823872c8 , < 887bfae2732b5b02a86a859fd239d34f7ff93c05 (git)
Affected: 7a696ce1d5d16a33a6cd6400bbcc0339b2460e11 , < ea518b70ed5e4598c8d706f37fc16f7b06e440bd (git)
Affected: 45d83db4728127944b237c0c8248987df9d478e7 , < 8e4212ecf0713dd57d0e3209a66201da582149b1 (git)
Affected: 66a834d092930cf41d809c0e989b13cd6f9ca006 , < c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691 (git)
Affected: 66a834d092930cf41d809c0e989b13cd6f9ca006 , < 93aa71ad7379900e61c8adff6a710a4c18c7c99b (git)
Affected: 4.9.273 , < 4.9.276 (semver)
Affected: 4.14.237 , < 4.14.240 (semver)
Affected: 4.19.195 , < 4.19.198 (semver)
Affected: 5.4.126 , < 5.4.134 (semver)
Affected: 5.10.44 , < 5.10.52 (semver)
Affected: 5.12.11 , < 5.12.19 (semver)
Create a notification for this product.
Linux Linux Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 4.9.276 , ≤ 4.9.* (semver)
Unaffected: 4.14.240 , ≤ 4.14.* (semver)
Unaffected: 4.19.198 , ≤ 4.19.* (semver)
Unaffected: 5.4.134 , ≤ 5.4.* (semver)
Unaffected: 5.10.52 , ≤ 5.10.* (semver)
Unaffected: 5.12.19 , ≤ 5.12.* (semver)
Unaffected: 5.13.4 , ≤ 5.13.* (semver)
Unaffected: 5.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:32:08.569Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47337",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:38:56.617775Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:50.372Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hosts.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d2f0b960d07e52bb664471b4de0ed8b08c636b3a",
              "status": "affected",
              "version": "8958181c1663e24a13434448e7d6b96b5d04900a",
              "versionType": "git"
            },
            {
              "lessThan": "f3d0a109240c9bed5c60d819014786be3a2fe515",
              "status": "affected",
              "version": "db08ce595dd64ea9859f7d088b51cbfc8e685c66",
              "versionType": "git"
            },
            {
              "lessThan": "e1bd3fac2baa3d5c04375980c1d5263a3335af92",
              "status": "affected",
              "version": "2dc85045ae65b9302a1d2e2ddd7ce4c030153a6a",
              "versionType": "git"
            },
            {
              "lessThan": "887bfae2732b5b02a86a859fd239d34f7ff93c05",
              "status": "affected",
              "version": "79296e292d67fa7b5fb8d8c27343683e823872c8",
              "versionType": "git"
            },
            {
              "lessThan": "ea518b70ed5e4598c8d706f37fc16f7b06e440bd",
              "status": "affected",
              "version": "7a696ce1d5d16a33a6cd6400bbcc0339b2460e11",
              "versionType": "git"
            },
            {
              "lessThan": "8e4212ecf0713dd57d0e3209a66201da582149b1",
              "status": "affected",
              "version": "45d83db4728127944b237c0c8248987df9d478e7",
              "versionType": "git"
            },
            {
              "lessThan": "c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691",
              "status": "affected",
              "version": "66a834d092930cf41d809c0e989b13cd6f9ca006",
              "versionType": "git"
            },
            {
              "lessThan": "93aa71ad7379900e61c8adff6a710a4c18c7c99b",
              "status": "affected",
              "version": "66a834d092930cf41d809c0e989b13cd6f9ca006",
              "versionType": "git"
            },
            {
              "lessThan": "4.9.276",
              "status": "affected",
              "version": "4.9.273",
              "versionType": "semver"
            },
            {
              "lessThan": "4.14.240",
              "status": "affected",
              "version": "4.14.237",
              "versionType": "semver"
            },
            {
              "lessThan": "4.19.198",
              "status": "affected",
              "version": "4.19.195",
              "versionType": "semver"
            },
            {
              "lessThan": "5.4.134",
              "status": "affected",
              "version": "5.4.126",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.52",
              "status": "affected",
              "version": "5.10.44",
              "versionType": "semver"
            },
            {
              "lessThan": "5.12.19",
              "status": "affected",
              "version": "5.12.11",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hosts.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.52",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.13.*",
              "status": "unaffected",
              "version": "5.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.276",
                  "versionStartIncluding": "4.9.273",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.240",
                  "versionStartIncluding": "4.14.237",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.198",
                  "versionStartIncluding": "4.19.195",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.134",
                  "versionStartIncluding": "5.4.126",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.52",
                  "versionStartIncluding": "5.10.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12.19",
                  "versionStartIncluding": "5.12.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix bad pointer dereference when ehandler kthread is invalid\n\nCommit 66a834d09293 (\"scsi: core: Fix error handling of scsi_host_alloc()\")\nchanged the allocation logic to call put_device() to perform host cleanup\nwith the assumption that IDA removal and stopping the kthread would\nproperly be performed in scsi_host_dev_release(). However, in the unlikely\ncase that the error handler thread fails to spawn, shost-\u003eehandler is set\nto ERR_PTR(-ENOMEM).\n\nThe error handler cleanup code in scsi_host_dev_release() will call\nkthread_stop() if shost-\u003eehandler != NULL which will always be the case\nwhether the kthread was successfully spawned or not. In the case that it\nfailed to spawn this has the nasty side effect of trying to dereference an\ninvalid pointer when kthread_stop() is called. The following splat provides\nan example of this behavior in the wild:\n\nscsi host11: error handler thread failed to spawn, error = -4\nKernel attempted to read user page (10c) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x0000010c\nFaulting instruction address: 0xc00000000818e9a8\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\nModules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region\n hash dm_log dm_mod fuse overlay squashfs loop\nCPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1\nNIP:  c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8\nREGS: c000000037d12ea0 TRAP: 0300   Not tainted  (5.13.0-rc7)\nMSR:  800000000280b033 \u0026lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u0026gt;  CR: 28228228\nXER: 20040001\nCFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0\nGPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc\nGPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000\nGPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff\nGPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0\nGPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288\nGPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898\nGPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000\nGPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc\nNIP [c00000000818e9a8] kthread_stop+0x38/0x230\nLR [c0000000089846e8] scsi_host_dev_release+0x98/0x160\nCall Trace:\n[c000000033bb2c48] 0xc000000033bb2c48 (unreliable)\n[c0000000089846e8] scsi_host_dev_release+0x98/0x160\n[c00000000891e960] device_release+0x60/0x100\n[c0000000087e55c4] kobject_release+0x84/0x210\n[c00000000891ec78] put_device+0x28/0x40\n[c000000008984ea4] scsi_host_alloc+0x314/0x430\n[c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]\n[c000000008110104] vio_bus_probe+0xa4/0x4b0\n[c00000000892a860] really_probe+0x140/0x680\n[c00000000892aefc] driver_probe_device+0x15c/0x200\n[c00000000892b63c] device_driver_attach+0xcc/0xe0\n[c00000000892b740] __driver_attach+0xf0/0x200\n[c000000008926f28] bus_for_each_dev+0xa8/0x130\n[c000000008929ce4] driver_attach+0x34/0x50\n[c000000008928fc0] bus_add_driver+0x1b0/0x300\n[c00000000892c798] driver_register+0x98/0x1a0\n[c00000000810eb60] __vio_register_driver+0x80/0xe0\n[c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]\n[c0000000080121d0] do_one_initcall+0x60/0x2d0\n[c000000008261abc] do_init_module+0x7c/0x320\n[c000000008265700] load_module+0x2350/0x25b0\n[c000000008265cb4] __do_sys_finit_module+0xd4/0x160\n[c000000008031110] system_call_exception+0x150/0x2d0\n[c00000000800d35c] system_call_common+0xec/0x278\n\nFix this be nulling shost-\u003eehandler when the kthread fails to spawn."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:19:41.652Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92"
        },
        {
          "url": "https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691"
        },
        {
          "url": "https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b"
        }
      ],
      "title": "scsi: core: Fix bad pointer dereference when ehandler kthread is invalid",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47337",
    "datePublished": "2024-05-21T14:35:46.379Z",
    "dateReserved": "2024-05-21T14:28:16.978Z",
    "dateUpdated": "2026-05-23T15:19:41.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-47337",
      "date": "2026-06-06",
      "epss": "0.00014",
      "percentile": "0.02624"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47337\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T15:15:20.527\",\"lastModified\":\"2024-12-24T16:15:04.180\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix bad pointer dereference when ehandler kthread is invalid\\n\\nCommit 66a834d09293 (\\\"scsi: core: Fix error handling of scsi_host_alloc()\\\")\\nchanged the allocation logic to call put_device() to perform host cleanup\\nwith the assumption that IDA removal and stopping the kthread would\\nproperly be performed in scsi_host_dev_release(). However, in the unlikely\\ncase that the error handler thread fails to spawn, shost-\u003eehandler is set\\nto ERR_PTR(-ENOMEM).\\n\\nThe error handler cleanup code in scsi_host_dev_release() will call\\nkthread_stop() if shost-\u003eehandler != NULL which will always be the case\\nwhether the kthread was successfully spawned or not. In the case that it\\nfailed to spawn this has the nasty side effect of trying to dereference an\\ninvalid pointer when kthread_stop() is called. The following splat provides\\nan example of this behavior in the wild:\\n\\nscsi host11: error handler thread failed to spawn, error = -4\\nKernel attempted to read user page (10c) - exploit attempt? (uid: 0)\\nBUG: Kernel NULL pointer dereference on read at 0x0000010c\\nFaulting instruction address: 0xc00000000818e9a8\\nOops: Kernel access of bad area, sig: 11 [#1]\\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\\nModules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region\\n hash dm_log dm_mod fuse overlay squashfs loop\\nCPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1\\nNIP:  c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8\\nREGS: c000000037d12ea0 TRAP: 0300   Not tainted  (5.13.0-rc7)\\nMSR:  800000000280b033 \u0026lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u0026gt;  CR: 28228228\\nXER: 20040001\\nCFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0\\nGPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc\\nGPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000\\nGPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff\\nGPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0\\nGPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288\\nGPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898\\nGPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000\\nGPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc\\nNIP [c00000000818e9a8] kthread_stop+0x38/0x230\\nLR [c0000000089846e8] scsi_host_dev_release+0x98/0x160\\nCall Trace:\\n[c000000033bb2c48] 0xc000000033bb2c48 (unreliable)\\n[c0000000089846e8] scsi_host_dev_release+0x98/0x160\\n[c00000000891e960] device_release+0x60/0x100\\n[c0000000087e55c4] kobject_release+0x84/0x210\\n[c00000000891ec78] put_device+0x28/0x40\\n[c000000008984ea4] scsi_host_alloc+0x314/0x430\\n[c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]\\n[c000000008110104] vio_bus_probe+0xa4/0x4b0\\n[c00000000892a860] really_probe+0x140/0x680\\n[c00000000892aefc] driver_probe_device+0x15c/0x200\\n[c00000000892b63c] device_driver_attach+0xcc/0xe0\\n[c00000000892b740] __driver_attach+0xf0/0x200\\n[c000000008926f28] bus_for_each_dev+0xa8/0x130\\n[c000000008929ce4] driver_attach+0x34/0x50\\n[c000000008928fc0] bus_add_driver+0x1b0/0x300\\n[c00000000892c798] driver_register+0x98/0x1a0\\n[c00000000810eb60] __vio_register_driver+0x80/0xe0\\n[c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]\\n[c0000000080121d0] do_one_initcall+0x60/0x2d0\\n[c000000008261abc] do_init_module+0x7c/0x320\\n[c000000008265700] load_module+0x2350/0x25b0\\n[c000000008265cb4] __do_sys_finit_module+0xd4/0x160\\n[c000000008031110] system_call_exception+0x150/0x2d0\\n[c00000000800d35c] system_call_common+0xec/0x278\\n\\nFix this be nulling shost-\u003eehandler when the kthread fails to spawn.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: scsi: core: corrige la desreferencia del puntero incorrecto cuando ehandler kthread no es v\u00e1lido. La confirmaci\u00f3n 66a834d09293 (\\\"scsi: core: corrige el manejo de errores de scsi_host_alloc()\\\") cambi\u00f3 la l\u00f3gica de asignaci\u00f3n para llamar a put_device( ) para realizar la limpieza del host asumiendo que la eliminaci\u00f3n de IDA y la detenci\u00f3n del kthread se realizar\u00edan correctamente en scsi_host_dev_release(). Sin embargo, en el improbable caso de que el subproceso del controlador de errores no se genere, shost-\u0026gt;ehandler se establece en ERR_PTR(-ENOMEM). El c\u00f3digo de limpieza del controlador de errores en scsi_host_dev_release() llamar\u00e1 a kthread_stop() si shost-\u0026gt;ehandler != NULL, que siempre ser\u00e1 el caso ya sea que kthread se genere exitosamente o no. En el caso de que no se genere, esto tiene el desagradable efecto secundario de intentar eliminar la referencia a un puntero no v\u00e1lido cuando se llama a kthread_stop(). El siguiente s\u00edmbolo proporciona un ejemplo de este comportamiento en la naturaleza: scsi host11: el hilo del controlador de errores no pudo generarse, error = -4 El kernel intent\u00f3 leer la p\u00e1gina del usuario (10c): \u00bfintento de explotaci\u00f3n? (uid: 0) ERROR: Desreferencia del puntero NULL del kernel al leer en 0x0000010c Direcci\u00f3n de instrucci\u00f3n err\u00f3nea: 0xc00000000818e9a8 Ups: Acceso al kernel del \u00e1rea defectuosa, firma: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 M\u00f3dulos NUMA pSeries vinculados en: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region hash dm_log dm_mod fuse overlay squashfs loop CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 NIP: c00000000818e9a8 LR: 9846e8 CTR: 0000000000007ee8 REGS: c000000037d12ea0 TRAMPA : 0300 No contaminado (5.13.0-rc7) MSR: 800000000280b033 \u0026lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u0026gt; CR: 28228228 XER: 20040001 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 GPR00: c0000000089846e8 c000000037d13140 000009cc1100 ffffffffffffffffc GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 GPR08: 0000000000000000 c000000037 dc0000 0000000000000001 00000000fffff7ff GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 GPR16: 001740 c0080000190d0000 c0080000190d1740 c000000009129288 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 000000 0000000000 GPR28: c000000046b28280 0000000000000000 000000000000010c ffffffffffffffffc NIP [c00000000818e9a8] kthread_stop+0x38/0x230 LR [c0000000089 846e8] scsi_host_dev_release+0x98/0x160 Seguimiento de llamadas: [c000000033bb2c48] 0xc000000033bb2c48 (no confiable) [c0000000089846e8] scsi_host_dev_release+0x98 /0x160 [c00000000891e960] device_release+0x60/0x100 [c0000000087e55c4] kobject_release+0x84/0x210 [c00000000891ec78] put_device+0x28/0x40 [c000000008984ea4] host_alloc+0x314/0x430 [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi] [c000000008110104] vio_bus_probe+ 0xa4/0x4b0 [c00000000892a860] very_probe+0x140/0x680 [c00000000892aefc] driver_probe_device+0x15c/0x200 [c00000000892b63c] device_driver_attach+0xcc/0xe0 [c0000000 0892b740] __driver_attach+0xf0/0x200 [c000000008926f28] bus_for_each_dev+0xa8/0x130 [c000000008929ce4] driver_attach+0x34/ 0x50 [c000000008928fc0] bus_add_driver+0x1b0/0x300 [c00000000892c798] driver_register+0x98/0x1a0 [c00000000810eb60] __vio_register_driver+0x80/0xe0 [c0080000190 b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi] [c0000000080121d0] do_one_initcall+0x60/0x2d0 [c000000008261abc] do_init_module+0x7c /0x320 [c000000008265700] load_module+0x2350/0x25b0 [c000000008265cb4] __do_sys_finit_module+0xd4/0x160 [c000000008031110] system_call_exception+0x150/0x2d0 [c00 000000800d35c] system_call_common+0xec/0x278 Se soluciona esto al anular shost-\u0026gt;ehandler cuando el kthread no se genera.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.9.273\",\"versionEndExcluding\":\"4.9.276\",\"matchCriteriaId\":\"ED04361D-7F99-406C-AE60-A742D103009A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.14.237\",\"versionEndExcluding\":\"4.14.240\",\"matchCriteriaId\":\"60DA33EB-FEFC-4F52-8609-9AB83CA2AAD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.195\",\"versionEndExcluding\":\"4.19.198\",\"matchCriteriaId\":\"4AF6E1E3-F88E-4B5E-A57F-3B5A7FF9007F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.126\",\"versionEndExcluding\":\"5.4.134\",\"matchCriteriaId\":\"661C2EBB-B5C1-4474-A223-3502F874DE8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.44\",\"versionEndExcluding\":\"5.10.52\",\"matchCriteriaId\":\"80AEAC35-3FA8-4941-A13F-819DF11709CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.12.11\",\"versionEndExcluding\":\"5.12.19\",\"matchCriteriaId\":\"FFAD6692-628C-40D7-A83C-01022B6D6DBA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.13\",\"versionEndExcluding\":\"5.13.4\",\"matchCriteriaId\":\"F93FA3CC-0C79-410B-A7D7-245C2AA0723A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"71268287-21A8-4488-AA4F-23C473153131\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:32:08.569Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-47337\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:38:56.617775Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:19.102Z\"}}], \"cna\": {\"title\": \"scsi: core: Fix bad pointer dereference when ehandler kthread is invalid\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"8958181c1663e24a13434448e7d6b96b5d04900a\", \"lessThan\": \"d2f0b960d07e52bb664471b4de0ed8b08c636b3a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"db08ce595dd64ea9859f7d088b51cbfc8e685c66\", \"lessThan\": \"f3d0a109240c9bed5c60d819014786be3a2fe515\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"2dc85045ae65b9302a1d2e2ddd7ce4c030153a6a\", \"lessThan\": \"e1bd3fac2baa3d5c04375980c1d5263a3335af92\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"79296e292d67fa7b5fb8d8c27343683e823872c8\", \"lessThan\": \"887bfae2732b5b02a86a859fd239d34f7ff93c05\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"7a696ce1d5d16a33a6cd6400bbcc0339b2460e11\", \"lessThan\": \"ea518b70ed5e4598c8d706f37fc16f7b06e440bd\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"45d83db4728127944b237c0c8248987df9d478e7\", \"lessThan\": \"8e4212ecf0713dd57d0e3209a66201da582149b1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"66a834d092930cf41d809c0e989b13cd6f9ca006\", \"lessThan\": \"c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"66a834d092930cf41d809c0e989b13cd6f9ca006\", \"lessThan\": \"93aa71ad7379900e61c8adff6a710a4c18c7c99b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4.9.273\", \"lessThan\": \"4.9.276\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.14.237\", \"lessThan\": \"4.14.240\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.19.195\", \"lessThan\": \"4.19.198\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.4.126\", \"lessThan\": \"5.4.134\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.10.44\", \"lessThan\": \"5.10.52\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.12.11\", \"lessThan\": \"5.12.19\", \"versionType\": \"semver\"}], \"programFiles\": [\"drivers/scsi/hosts.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.13\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.13\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.9.276\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.9.*\"}, {\"status\": \"unaffected\", \"version\": \"4.14.240\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.14.*\"}, {\"status\": \"unaffected\", \"version\": \"4.19.198\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.134\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.52\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.12.19\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.12.*\"}, {\"status\": \"unaffected\", \"version\": \"5.13.4\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.13.*\"}, {\"status\": \"unaffected\", \"version\": \"5.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/scsi/hosts.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/d2f0b960d07e52bb664471b4de0ed8b08c636b3a\"}, {\"url\": \"https://git.kernel.org/stable/c/f3d0a109240c9bed5c60d819014786be3a2fe515\"}, {\"url\": \"https://git.kernel.org/stable/c/e1bd3fac2baa3d5c04375980c1d5263a3335af92\"}, {\"url\": \"https://git.kernel.org/stable/c/887bfae2732b5b02a86a859fd239d34f7ff93c05\"}, {\"url\": \"https://git.kernel.org/stable/c/ea518b70ed5e4598c8d706f37fc16f7b06e440bd\"}, {\"url\": \"https://git.kernel.org/stable/c/8e4212ecf0713dd57d0e3209a66201da582149b1\"}, {\"url\": \"https://git.kernel.org/stable/c/c1671d2d2ef8a84837eea1b4d99ca0c6a66fb691\"}, {\"url\": \"https://git.kernel.org/stable/c/93aa71ad7379900e61c8adff6a710a4c18c7c99b\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix bad pointer dereference when ehandler kthread is invalid\\n\\nCommit 66a834d09293 (\\\"scsi: core: Fix error handling of scsi_host_alloc()\\\")\\nchanged the allocation logic to call put_device() to perform host cleanup\\nwith the assumption that IDA removal and stopping the kthread would\\nproperly be performed in scsi_host_dev_release(). However, in the unlikely\\ncase that the error handler thread fails to spawn, shost-\u003eehandler is set\\nto ERR_PTR(-ENOMEM).\\n\\nThe error handler cleanup code in scsi_host_dev_release() will call\\nkthread_stop() if shost-\u003eehandler != NULL which will always be the case\\nwhether the kthread was successfully spawned or not. In the case that it\\nfailed to spawn this has the nasty side effect of trying to dereference an\\ninvalid pointer when kthread_stop() is called. The following splat provides\\nan example of this behavior in the wild:\\n\\nscsi host11: error handler thread failed to spawn, error = -4\\nKernel attempted to read user page (10c) - exploit attempt? (uid: 0)\\nBUG: Kernel NULL pointer dereference on read at 0x0000010c\\nFaulting instruction address: 0xc00000000818e9a8\\nOops: Kernel access of bad area, sig: 11 [#1]\\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\\nModules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region\\n hash dm_log dm_mod fuse overlay squashfs loop\\nCPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1\\nNIP:  c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8\\nREGS: c000000037d12ea0 TRAP: 0300   Not tainted  (5.13.0-rc7)\\nMSR:  800000000280b033 \u0026lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u0026gt;  CR: 28228228\\nXER: 20040001\\nCFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0\\nGPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc\\nGPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000\\nGPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff\\nGPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0\\nGPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288\\nGPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898\\nGPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000\\nGPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc\\nNIP [c00000000818e9a8] kthread_stop+0x38/0x230\\nLR [c0000000089846e8] scsi_host_dev_release+0x98/0x160\\nCall Trace:\\n[c000000033bb2c48] 0xc000000033bb2c48 (unreliable)\\n[c0000000089846e8] scsi_host_dev_release+0x98/0x160\\n[c00000000891e960] device_release+0x60/0x100\\n[c0000000087e55c4] kobject_release+0x84/0x210\\n[c00000000891ec78] put_device+0x28/0x40\\n[c000000008984ea4] scsi_host_alloc+0x314/0x430\\n[c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]\\n[c000000008110104] vio_bus_probe+0xa4/0x4b0\\n[c00000000892a860] really_probe+0x140/0x680\\n[c00000000892aefc] driver_probe_device+0x15c/0x200\\n[c00000000892b63c] device_driver_attach+0xcc/0xe0\\n[c00000000892b740] __driver_attach+0xf0/0x200\\n[c000000008926f28] bus_for_each_dev+0xa8/0x130\\n[c000000008929ce4] driver_attach+0x34/0x50\\n[c000000008928fc0] bus_add_driver+0x1b0/0x300\\n[c00000000892c798] driver_register+0x98/0x1a0\\n[c00000000810eb60] __vio_register_driver+0x80/0xe0\\n[c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]\\n[c0000000080121d0] do_one_initcall+0x60/0x2d0\\n[c000000008261abc] do_init_module+0x7c/0x320\\n[c000000008265700] load_module+0x2350/0x25b0\\n[c000000008265cb4] __do_sys_finit_module+0xd4/0x160\\n[c000000008031110] system_call_exception+0x150/0x2d0\\n[c00000000800d35c] system_call_common+0xec/0x278\\n\\nFix this be nulling shost-\u003eehandler when the kthread fails to spawn.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.9.276\", \"versionStartIncluding\": \"4.9.273\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.240\", \"versionStartIncluding\": \"4.14.237\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.198\", \"versionStartIncluding\": \"4.19.195\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.134\", \"versionStartIncluding\": \"5.4.126\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.52\", \"versionStartIncluding\": \"5.10.44\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.12.19\", \"versionStartIncluding\": \"5.12.11\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.13.4\", \"versionStartIncluding\": \"5.13\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.14\", \"versionStartIncluding\": \"5.13\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-23T15:19:41.652Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-47337\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-23T15:19:41.652Z\", \"dateReserved\": \"2024-05-21T14:28:16.978Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-21T14:35:46.379Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.