In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: bsg: Fix crash when arpmb command fails
If the device doesn't support arpmb we'll crash due to copying user data in bsgtransportsgiofn().
In the case where ufsbsgexecadvancedrpmbreq() returns an error, do not set the job's replylen.
Memory crash backtrace: 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22
4,1308,531166555,-;Call Trace:
4,1309,531166559,-; <TASK>
4,1310,531166565,-; ? show_regs+0x6d/0x80
4,1311,531166575,-; ? die+0x37/0xa0
4,1312,531166583,-; ? do_trap+0xd4/0xf0
4,1313,531166593,-; ? doerrortrap+0x71/0xb0
4,1314,531166601,-; ? usercopy_abort+0x6c/0x80
4,1315,531166610,-; ? excinvalidop+0x52/0x80
4,1316,531166622,-; ? usercopy_abort+0x6c/0x80
4,1317,531166630,-; ? asmexcinvalid_op+0x1b/0x20
4,1318,531166643,-; ? usercopy_abort+0x6c/0x80
4,1319,531166652,-; _checkheap_object+0xe3/0x120
4,1320,531166661,-; checkheapobject+0x185/0x1d0
4,1321,531166670,-; _checkobject_size.part.0+0x72/0x150
4,1322,531166679,-; _checkobject_size+0x23/0x30
4,1323,531166688,-; bsgtransportsgiofn+0x314/0x3b0