| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022659-CVE-2025-21738-f502@gregkh> Date: Wed, 26 Feb 2025 18:11:20 -0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21738: ata: libata-sff: Ensure that we cannot write outside the allocated buffer Description =========== In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer. The Linux kernel CVE team has assigned CVE-2025-21738 to this issue. Affected and fixed versions =========================== Fixed in 6.1.129 with commit a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c Fixed in 6.6.78 with commit d5e6e3000309359eae2a17117aa6e3c44897bf6c Fixed in 6.12.14 with commit 0dd5aade301a10f4b329fa7454fdcc2518741902 Fixed in 6.13.3 with commit 0a17a9944b8d89ef03946121241870ac53ddaf45 Fixed in 6.14-rc1 with commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21738 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/ata/libata-sff.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902 https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45 https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2
Powered by blists - more mailing lists