In the Linux kernel, the following vulnerability has been resolved:
scsi: scsi_debug: Don't call kcalloc() if size arg is zero
If the size arg to kcalloc() is zero, it returns ZEROSIZEPTR. Because of that, for a following NULL pointer check to work on the returned pointer, kcalloc() must not be called with the size arg equal to zero. Return early without error before the kcalloc() call if size arg is zero.
BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: null-ptr-deref in sgcopybuffer+0x138/0x240 lib/scatterlist.c:974 Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789
CPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x89/0xb5 lib/dumpstack.c:106 _kasanreport mm/kasan/report.c:446 [inline] kasanreport.cold.14+0x112/0x117 mm/kasan/report.c:459 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x3b/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:191 [inline] sgcopybuffer+0x138/0x240 lib/scatterlist.c:974 dodoutfetch drivers/scsi/scsidebug.c:2954 [inline] dodoutfetch drivers/scsi/scsidebug.c:2946 [inline] respverify+0x49e/0x930 drivers/scsi/scsidebug.c:4276 scheduleresp+0x4d8/0x1a70 drivers/scsi/scsidebug.c:5478 scsidebugqueuecommand+0x8c9/0x1ec0 drivers/scsi/scsidebug.c:7533 scsidispatchcmd drivers/scsi/scsilib.c:1520 [inline] scsiqueuerq+0x16b0/0x2d40 drivers/scsi/scsilib.c:1699 blkmqdispatchrqlist+0xb9b/0x2700 block/blk-mq.c:1639 _blkmqscheddispatchrequests+0x28f/0x590 block/blk-mq-sched.c:325 blkmqscheddispatchrequests+0x105/0x190 block/blk-mq-sched.c:358 _blkmqrunhwqueue+0xe5/0x150 block/blk-mq.c:1761 _blkmqdelayrunhwqueue+0x4f8/0x5c0 block/blk-mq.c:1838 blkmqrunhwqueue+0x18d/0x350 block/blk-mq.c:1891 blkmqschedinsertrequest+0x3db/0x4e0 block/blk-mq-sched.c:474 blkexecuterqnowait+0x16b/0x1c0 block/blk-exec.c:62 blkexecuterq+0xdb/0x360 block/blk-exec.c:102 sgscsiioctl drivers/scsi/scsiioctl.c:621 [inline] scsiioctl+0x8bb/0x15c0 drivers/scsi/scsiioctl.c:930 sgioctlcommon+0x172d/0x2710 drivers/scsi/sg.c:1112 sgioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:874 [inline] _sesysioctl fs/ioctl.c:860 [inline] _x64sysioctl+0x19d/0x220 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3a/0x80 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae