In the Linux kernel, the following vulnerability has been resolved:
scsi: scsidebug: Fix type in mint to avoid stack OOB
Change mint() to use type "u32" instead of type "int" to avoid stack out of bounds. With mint() type "int" the values get sign extended and the larger value gets used causing stack out of bounds.
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: stack-out-of-bounds in sgcopybuffer+0x1de/0x240 lib/scatterlist.c:976 Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707
CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x89/0xb5 lib/dumpstack.c:106 printaddressdescription.constprop.9+0x28/0x160 mm/kasan/report.c:256 _kasanreport mm/kasan/report.c:442 [inline] kasanreport.cold.14+0x7d/0x117 mm/kasan/report.c:459 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x23/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] sgcopybuffer+0x1de/0x240 lib/scatterlist.c:976 sgcopyfrombuffer+0x33/0x40 lib/scatterlist.c:1000 fillfromdevbuffer.part.34+0x82/0x130 drivers/scsi/scsidebug.c:1162 fillfromdevbuffer drivers/scsi/scsidebug.c:1888 [inline] respreadcap16+0x365/0x3b0 drivers/scsi/scsidebug.c:1887 scheduleresp+0x4d8/0x1a70 drivers/scsi/scsidebug.c:5478 scsidebugqueuecommand+0x8c9/0x1ec0 drivers/scsi/scsidebug.c:7533 scsidispatchcmd drivers/scsi/scsilib.c:1520 [inline] scsiqueuerq+0x16b0/0x2d40 drivers/scsi/scsilib.c:1699 blkmqdispatchrqlist+0xb9b/0x2700 block/blk-mq.c:1639 _blkmqscheddispatchrequests+0x28f/0x590 block/blk-mq-sched.c:325 blkmqscheddispatchrequests+0x105/0x190 block/blk-mq-sched.c:358 _blkmqrunhwqueue+0xe5/0x150 block/blk-mq.c:1761 _blkmqdelayrunhwqueue+0x4f8/0x5c0 block/blk-mq.c:1838 blkmqrunhwqueue+0x18d/0x350 block/blk-mq.c:1891 blkmqschedinsertrequest+0x3db/0x4e0 block/blk-mq-sched.c:474 blkexecuterqnowait+0x16b/0x1c0 block/blk-exec.c:62 sgcommonwrite.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836 sgnewwrite.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774 sgioctlcommon+0x14d6/0x2710 drivers/scsi/sg.c:939 sgioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:874 [inline] _sesysioctl fs/ioctl.c:860 [inline] _x64sysioctl+0x19d/0x220 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3a/0x80 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae