CVE-2021-47578: 
Linux Kernel vulnerability analysis and mitigation

CVE-2021-47578 is a vulnerability in the Linux kernel's SCSI debug module that was discovered and resolved in 2021. The issue occurs when the kcalloc() function is called with a zero size argument, which returns ZEROSIZEPTR, potentially leading to a null pointer dereference. This vulnerability affects Linux kernel versions up to 5.10.88 and from version 5.11 up to (excluding) 5.15.11 (NVD).

The vulnerability stems from a null pointer dereference issue in the SCSI debug module. When kcalloc() is called with a size argument of zero, it returns ZEROSIZEPTR, which can lead to a null pointer dereference in subsequent NULL pointer checks. The issue manifests specifically in the memcpy operation within the sgcopybuffer function, as evidenced by the KASAN (Kernel Address Sanitizer) report showing a null pointer dereference at address 0000000000000010. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash through a null pointer dereference, potentially causing a denial of service condition. The CVSS scoring indicates that while the vulnerability requires local access and low privileges, it can have a high impact on system availability (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that adds early return checks before kcalloc() calls when the size argument is zero. The fix was implemented by adding conditional checks in the respverify and respreport_zones functions of the SCSI debug module (Kernel Patch).