| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025101529-CVE-2025-39998-57d5@gregkh> Date: Wed, 15 Oct 2025 09:58:35 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39998: scsi: target: target_core_configfs: Add length check to avoid buffer overflow From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. The Linux kernel CVE team has assigned CVE-2025-39998 to this issue. Affected and fixed versions =========================== Fixed in 6.6.110 with commit f03aa5e39da7d045615b3951d2a6ca1d7132f881 Fixed in 6.12.51 with commit 53c6351597e6a17ec6619f6f060d54128cb9a187 Fixed in 6.16.11 with commit 4b292286949588bd2818e66ff102db278de8dd26 Fixed in 6.17.1 with commit a150275831b765b0f1de8b8ff52ec5c6933ac15d Fixed in 6.18-rc1 with commit 27e06650a5eafe832a90fd2604f0c5e920857fae Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39998 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/target/target_core_configfs.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f03aa5e39da7d045615b3951d2a6ca1d7132f881 https://git.kernel.org/stable/c/53c6351597e6a17ec6619f6f060d54128cb9a187 https://git.kernel.org/stable/c/4b292286949588bd2818e66ff102db278de8dd26 https://git.kernel.org/stable/c/a150275831b765b0f1de8b8ff52ec5c6933ac15d https://git.kernel.org/stable/c/27e06650a5eafe832a90fd2604f0c5e920857fae
Powered by blists - more mailing lists