[PATCH] scsi: fix out of bounds error in /drivers/scsi

From: jackysliu
Date: Tue Jun 17 2025 - 05:10:30 EST

Next message: Sebastian Andrzej Siewior: "Re: Latency spikes on V6.15.1 Preempt RT and maybe related to intel? IGB"
Previous message: Michal Koutný: "Re: [PATCH v1 0/3] cgroup: Add lock guard support"
Next in thread: Bart Van Assche: "Re: [PATCH] scsi: fix out of bounds error in /drivers/scsi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Out-of-bounds vulnerability found in ./drivers/scsi/sd.c,
sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
Out-of-bounds read vulnerability exists in the
Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
The flaw occurs in the sd_read_block_limits_ext function
when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
responses from storage devices

Signed-off-by: jackysliu <1972843537@xxxxxx>
---
drivers/scsi/sd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 3f6e87705b62..eeaa6af294b8 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)

rcu_read_lock();
vpd = rcu_dereference(sdkp->device->vpd_pgb7);
- if (vpd && vpd->len >= 2)
+ if (vpd && vpd->len >= 6)
sdkp->rscs = vpd->data[5] & 1;
rcu_read_unlock();
}
--
2.43.5

Next message: Sebastian Andrzej Siewior: "Re: Latency spikes on V6.15.1 Preempt RT and maybe related to intel? IGB"
Previous message: Michal Koutný: "Re: [PATCH v1 0/3] cgroup: Add lock guard support"
Next in thread: Bart Van Assche: "Re: [PATCH] scsi: fix out of bounds error in /drivers/scsi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]