| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-21738: ata: libata-sff: Ensure that we cannot write outside the allocated buffer |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ata: libata-sff: Ensure that we cannot write outside the allocated buffer |
| |
| reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len |
| set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to |
| ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to |
| write outside the allocated buffer, overwriting random memory. |
| |
| While a ATA device is supposed to abort a ATA_NOP command, there does seem |
| to be a bug either in libata-sff or QEMU, where either this status is not |
| set, or the status is cleared before read by ata_sff_hsm_move(). |
| Anyway, that is most likely a separate bug. |
| |
| Looking at __atapi_pio_bytes(), it already has a safety check to ensure |
| that __atapi_pio_bytes() cannot write outside the allocated buffer. |
| |
| Add a similar check to ata_pio_sector(), such that also ata_pio_sector() |
| cannot write outside the allocated buffer. |
| |
| The Linux kernel CVE team has assigned CVE-2025-21738 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 6.1.129 with commit a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c |
| Fixed in 6.6.78 with commit d5e6e3000309359eae2a17117aa6e3c44897bf6c |
| Fixed in 6.12.14 with commit 0dd5aade301a10f4b329fa7454fdcc2518741902 |
| Fixed in 6.13.3 with commit 0a17a9944b8d89ef03946121241870ac53ddaf45 |
| Fixed in 6.14 with commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-21738 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/ata/libata-sff.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c |
| https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c |
| https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902 |
| https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45 |
| https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2 |
