[PATCH] scsi: fix out of bounds error in /drivers/scsi

[PATCH] scsi: fix out of bounds error in /drivers/scsi

[jackysliu]

Out-of-bounds vulnerability found in ./drivers/scsi/sd.c,
sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
Out-of-bounds read vulnerability exists in the
Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
The flaw occurs in the sd_read_block_limits_ext function
 when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
 responses from storage devices

Signed-off-by: jackysliu <1972843537@qq.com>
---
 drivers/scsi/sd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 3f6e87705b62..eeaa6af294b8 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
 
 	rcu_read_lock();
 	vpd = rcu_dereference(sdkp->device->vpd_pgb7);
-	if (vpd && vpd->len >= 2)
+	if (vpd && vpd->len >= 6)
 		sdkp->rscs = vpd->data[5] & 1;
 	rcu_read_unlock();
 }
-- 
2.43.5

Re: [PATCH] scsi: fix out of bounds error in /drivers/scsi

[Bart Van Assche]

On 6/17/25 2:03 AM, jackysliu wrote:
> Out-of-bounds vulnerability found in ./drivers/scsi/sd.c,
> sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
> Out-of-bounds read vulnerability exists in the
> Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
> The flaw occurs in the sd_read_block_limits_ext function
>   when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
>   responses from storage devices
> 
> Signed-off-by: jackysliu <1972843537@qq.com>
> ---
>   drivers/scsi/sd.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
> index 3f6e87705b62..eeaa6af294b8 100644
> --- a/drivers/scsi/sd.c
> +++ b/drivers/scsi/sd.c
> @@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
>   
>   	rcu_read_lock();
>   	vpd = rcu_dereference(sdkp->device->vpd_pgb7);
> -	if (vpd && vpd->len >= 2)
> +	if (vpd && vpd->len >= 6)
>   		sdkp->rscs = vpd->data[5] & 1;
>   	rcu_read_unlock();
>   }

Fixes: and Cc: stable tags are missing. Please add these.

How has this been detected? Please mention this in the patch
description. When I wrote the above code I was assuming that vpd->len
represents the contents of the PAGE LENGTH field (bytes 2 and 3).
Apparently vpd->len is the length in bytes of the entire VPD page.

Thanks,

Bart.

RE:[PATCH] scsi: fix out of bounds error in /drivers/scsi

[jackysliu]

On 6/17/25 2:03 AM, jackysliu wrote:
> Out-of-bounds vulnerability found in ./drivers/scsi/sd.c,
> sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
> Out-of-bounds read vulnerability exists in the
> Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
> The flaw occurs in the sd_read_block_limits_ext function
>   when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
>   responses from storage devices
> 
> Signed-off-by: jackysliu <1972843537@qq.com>
> ---
>   drivers/scsi/sd.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
> index 3f6e87705b62..eeaa6af294b8 100644
> --- a/drivers/scsi/sd.c
> +++ b/drivers/scsi/sd.c
> @@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
>   
>   	rcu_read_lock();
>   	vpd = rcu_dereference(sdkp->device->vpd_pgb7);
> -	if (vpd && vpd->len >= 2)
> +	if (vpd && vpd->len >= 6)
>   		sdkp->rscs = vpd->data[5] & 1;
>   	rcu_read_unlock();
>   }

On 6/17/25 13:44 PM , Bart Van Assche wrote:
>Fixes: and Cc: stable tags are missing. Please add these.
>
>How has this been detected? Please mention this in the patch
>description. When I wrote the above code I was assuming that vpd->len
>represents the contents of the PAGE LENGTH field (bytes 2 and 3).
>Apparently vpd->len is the length in bytes of the entire VPD page.
>
>Thanks,
>
>Bart.

Sure,I'll explain in the patch later.
Can I know what kind of impact this vulnerability will have?
And is it possible to get a cve number?

Thanks,

Jackysliu

Re: [PATCH] scsi: fix out of bounds error in /drivers/scsi

[Bart Van Assche]

On 6/17/25 11:31 PM, jackysliu wrote:
> Can I know what kind of impact this vulnerability will have?

The worst possible impact I see is that the Linux kernel would decide 
that RSCS is supported although the device doesn't support it. This
could cause sd_read_io_hints() to print incorrect information. The
following message could be printed when it should not be printed:
"Unexpected: RSCS has been set and the permanent stream count is %u\n"

> And is it possible to get a cve number?

You are asking the wrong person. I don't know how to get a CVE number.

Bart.

[PATCH v2] scsi: fix out of bounds error in /drivers/scsi

[jackysliu]

6.15-stable review patch, vulnerability exists since v6.9

Out-of-bounds vulnerability found in ./drivers/scsi/sd.c
The vulnerability is found by  is found by Wukong-Agent
 (formerly Tencent Woodpecker), a code security AI agent,
 through static code analysis. 

sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
Out-of-bounds read vulnerability exists in the
Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
The flaw occurs in the sd_read_block_limits_ext function
 when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
 responses from storage devices

A maliciously crafted 4-byte VPD page (0xB7) would cause Out-of-Bounds
Memory Read, leading to potential system Instability 
and Driver State Corruption.


Signed-off-by: jackysliu <1972843537@qq.com>
---
 drivers/scsi/sd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 3f6e87705b62..eeaa6af294b8 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
 
 	rcu_read_lock();
 	vpd = rcu_dereference(sdkp->device->vpd_pgb7);
-	if (vpd && vpd->len >= 2)
+	if (vpd && vpd->len >= 6)
 		sdkp->rscs = vpd->data[5] & 1;
 	rcu_read_unlock();
 }
-- 
2.43.5

RE:[PATCH] scsi: fix out of bounds error in /drivers/scsi

[jackysliu]

On 6/18/25 08:26 AM , Bart Van Assche wrote:
>> Can I know what kind of impact this vulnerability will have?
>
>The worst possible impact I see is that the Linux kernel would decide 
>that RSCS is supported although the device doesn't support it. This
>could cause sd_read_io_hints() to print incorrect information. The
>following message could be printed when it should not be printed:
>"Unexpected: RSCS has been set and the permanent stream count is %u\n"
>
>> And is it possible to get a cve number?
>
>You are asking the wrong person. I don't know how to get a CVE number.
>
>Bart.

Thank you Bart,for the patient review. I've submitted a new patch which 
mentioned way of detection and influenced stable tags.
Best regards.

Jackysliu

Re: [PATCH v2] usb: gadget: functioni: Fix a oob problem in rndis

[jackysliu]

On Fri, Jul 11 2025 08:51:30 +0200, greg k-h wrote:

>Yes, and then look to see what buf_len (not buflen) in
>gen_ndis_set_resp() is used for.  I'll wait... :)
Oh,my bad.It seem that buf_len will only be used for some debugging code..

>What tool generated this static analysis?  You always have to mention
>that as per our development rules.
The vulnerability is found by  is found by Wukong-Agent, a code security AI agent,
 through static code analysis.But It seems that this is a false positive..

And what qemu setup did you use to test this?  That would be helpful to
know so that I can verify it on my end.

I'll add some web-usb device to test this model.But seems that I went into a wrong way.

Thanks

Siyang Liu

Re: [PATCH v2] scsi: fix out of bounds error in /drivers/scsi

[Bart Van Assche]

On 6/18/25 9:03 PM, jackysliu wrote:
> 6.15-stable review patch, vulnerability exists since v6.9
> 
> Out-of-bounds vulnerability found in ./drivers/scsi/sd.c
> The vulnerability is found by  is found by Wukong-Agent
>   (formerly Tencent Woodpecker), a code security AI agent,
>   through static code analysis.
> 
> sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
> Out-of-bounds read vulnerability exists in the
> Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
> The flaw occurs in the sd_read_block_limits_ext function
>   when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
>   responses from storage devices
> 
> A maliciously crafted 4-byte VPD page (0xB7) would cause Out-of-Bounds
> Memory Read, leading to potential system Instability
> and Driver State Corruption.

Reviewed-by: Bart Van Assche <bvanassche@acm.org>

Re: [PATCH v2] scsi: fix out of bounds error in /drivers/scsi

[Krzysztof Kozlowski]

On 15/07/2025 15:00, Bart Van Assche wrote:
> On 6/18/25 9:03 PM, jackysliu wrote:
>> 6.15-stable review patch, vulnerability exists since v6.9
>>
>> Out-of-bounds vulnerability found in ./drivers/scsi/sd.c
>> The vulnerability is found by  is found by Wukong-Agent
>>   (formerly Tencent Woodpecker), a code security AI agent,
>>   through static code analysis.
>>
>> sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
>> Out-of-bounds read vulnerability exists in the
>> Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
>> The flaw occurs in the sd_read_block_limits_ext function
>>   when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
>>   responses from storage devices
>>
>> A maliciously crafted 4-byte VPD page (0xB7) would cause Out-of-Bounds
>> Memory Read, leading to potential system Instability
>> and Driver State Corruption.
> 
> Reviewed-by: Bart Van Assche <bvanassche@acm.org>

Just checking - are you sure? Please be careful with this work, that's
AI generated stuff which in some cases did not even compile or did not
actually follow C code.

Best regards,
Krzysztof

Re: [PATCH v2] scsi: fix out of bounds error in /drivers/scsi

[Bart Van Assche]

On 7/15/25 8:36 AM, Krzysztof Kozlowski wrote:
> On 15/07/2025 15:00, Bart Van Assche wrote:
>> On 6/18/25 9:03 PM, jackysliu wrote:
>>> 6.15-stable review patch, vulnerability exists since v6.9
>>>
>>> Out-of-bounds vulnerability found in ./drivers/scsi/sd.c
>>> The vulnerability is found by  is found by Wukong-Agent
>>>    (formerly Tencent Woodpecker), a code security AI agent,
>>>    through static code analysis.
>>>
>>> sd_read_block_limits_ext Function Due to Unreasonable boundary checks.
>>> Out-of-bounds read vulnerability exists in the
>>> Linux kernel's SCSI disk driver (./drivers/scsi/sd.c).
>>> The flaw occurs in the sd_read_block_limits_ext function
>>>    when processing Vital Product Data (VPD) page B7 (Block Limits Extension)
>>>    responses from storage devices
>>>
>>> A maliciously crafted 4-byte VPD page (0xB7) would cause Out-of-Bounds
>>> Memory Read, leading to potential system Instability
>>> and Driver State Corruption.
>>
>> Reviewed-by: Bart Van Assche <bvanassche@acm.org>
> 
> Just checking - are you sure? Please be careful with this work, that's
> AI generated stuff which in some cases did not even compile or did not
> actually follow C code.

As one can see here, an in-depth review was performed before I replied
with "Reviewed-by":
https://lore.kernel.org/linux-scsi/07c4c84d-0c52-4843-b32d-6806e58892fe@acm.org/

Bart.