In the Linux kernel, the following vulnerability has been resolved:
scsi: scsidebug: Sanity check block descriptor length in respmode_select()
In respmodeselect() sanity check the block descriptor len to avoid UAF.
BUG: KASAN: use-after-free in respmodeselect+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032
CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dumpstacklvl+0x89/0xb5 lib/dumpstack.c:107 printaddressdescription.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasanreport.cold.14+0x7d/0x117 mm/kasan/report.c:443 _asanreportload1noabort+0x14/0x20 mm/kasan/reportgeneric.c:306 respmodeselect+0xa4c/0xb40 drivers/scsi/scsidebug.c:2509 scheduleresp+0x4af/0x1a10 drivers/scsi/scsidebug.c:5483 scsidebugqueuecommand+0x8c9/0x1e70 drivers/scsi/scsidebug.c:7537 scsiqueuerq+0x16b4/0x2d10 drivers/scsi/scsilib.c:1521 blkmqdispatchrqlist+0xb9b/0x2700 block/blk-mq.c:1640 _blkmqscheddispatchrequests+0x28f/0x590 block/blk-mq-sched.c:325 blkmqscheddispatchrequests+0x105/0x190 block/blk-mq-sched.c:358 _blkmqrunhwqueue+0xe5/0x150 block/blk-mq.c:1762 _blkmqdelayrunhwqueue+0x4f8/0x5c0 block/blk-mq.c:1839 blkmqrunhwqueue+0x18d/0x350 block/blk-mq.c:1891 blkmqschedinsertrequest+0x3db/0x4e0 block/blk-mq-sched.c:474 blkexecuterqnowait+0x16b/0x1c0 block/blk-exec.c:63 sgcommonwrite.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sgnewwrite.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sgioctlcommon+0x14d6/0x2710 drivers/scsi/sg.c:941 sgioctl+0xa2/0x180 drivers/scsi/sg.c:1166 _x64sysioctl+0x19d/0x220 fs/ioctl.c:52 dosyscall64+0x3a/0x80 arch/x86/entry/common.c:50 entrySYSCALL64afterhwframe+0x44/0xae arch/x86/entry/entry64.S:113