CVE-2025-21738
27.02.2025, 03:15
In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer.Enginsight
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 𝑥 < 6.1.129 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.78 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.14 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.13.3 |
𝑥
= Vulnerable software versions
Debian Releases
References