CVE-2025-21738
Published: Feb 27, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 - < a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4caffected 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 - < d5e6e3000309359eae2a17117aa6e3c44897bf6caffected 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 - < 0dd5aade301a10f4b329fa7454fdcc2518741902affected 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 - < 0a17a9944b8d89ef03946121241870ac53ddaf45affected 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 - < 6e74e53b34b6dec5a50e1404e2680852ec6768d2 |
Linux | Linux | affected 2.6.22unaffected 0 - < 2.6.22unaffected 6.1.129 - <= 6.1.*unaffected 6.6.78 - <= 6.6.*unaffected 6.12.14 - <= 6.12.*+2 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now