In the Linux kernel, the following vulnerability has been resolved:
scsi: scsidebug: Fix out-of-bound read in respreport_tgtpgs()
The following issue was observed running syzkaller:
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline] BUG: KASAN: slab-out-of-bounds in sgcopybuffer+0x150/0x1c0 lib/scatterlist.c:831 Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815
CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: _dumpstack lib/dumpstack.c:77 [inline] dumpstack+0xe4/0x14a lib/dumpstack.c:118 printaddressdescription+0x73/0x280 mm/kasan/report.c:253 kasanreporterror mm/kasan/report.c:352 [inline] kasanreport+0x272/0x370 mm/kasan/report.c:410 memcpy+0x1f/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:377 [inline] sgcopybuffer+0x150/0x1c0 lib/scatterlist.c:831 fillfromdevbuffer+0x14f/0x340 drivers/scsi/scsidebug.c:1021 respreporttgtpgs+0x5aa/0x770 drivers/scsi/scsidebug.c:1772 scheduleresp+0x464/0x12f0 drivers/scsi/scsidebug.c:4429 scsidebugqueuecommand+0x467/0x1390 drivers/scsi/scsidebug.c:5835 scsidispatchcmd+0x3fc/0x9b0 drivers/scsi/scsilib.c:1896 scsirequestfn+0x1042/0x1810 drivers/scsi/scsilib.c:2034 _blkrunqueueuncond block/blk-core.c:464 [inline] _blkrunqueue+0x1a4/0x380 block/blk-core.c:484 blkexecuterqnowait+0x1c2/0x2d0 block/blk-exec.c:78 sgcommonwrite.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847 sgwrite.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716 sgwrite+0x64/0xa0 drivers/scsi/sg.c:622 _vfswrite+0xed/0x690 fs/readwrite.c:485 killbdev:blockdevice:00000000e138492c vfswrite+0x184/0x4c0 fs/readwrite.c:549 ksyswrite+0x107/0x240 fs/readwrite.c:599 dosyscall64+0xc2/0x560 arch/x86/entry/common.c:293 entrySYSCALL64after_hwframe+0x49/0xbe
We get 'alen' from command its type is int. If userspace passes a large length we will get a negative 'alen'.
Switch n, alen, and rlen to u32.