CVE-2025-21738
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-21738
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21738.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-21738
- Downstream
- Related
- Published
- 2025-02-27T03:15:14Z
- Modified
- 2025-08-09T19:01:28Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ata: libata-sff: Ensure that we cannot write outside the allocated buffer
reveliofuzzing reported that a SCSIIOCTLSENDCOMMAND ioctl with outlen set to 0xd42, SCSI command set to ATA16 PASS-THROUGH, ATA command set to ATANOP, and protocol set to ATAPROTPIO, can cause atapiosector() to write outside the allocated buffer, overwriting random memory.
While a ATA device is supposed to abort a ATANOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by atasffhsmmove(). Anyway, that is most likely a separate bug.
Looking at _atapipiobytes(), it already has a safety check to ensure that _atapipiobytes() cannot write outside the allocated buffer.
Add a similar check to atapiosector(), such that also atapiosector() cannot write outside the allocated buffer.
- References
-
- https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45
- https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902
- https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2
- https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c
- https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c